diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Bom/Creators.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Bom/Creators.cs similarity index 97% rename from src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Bom/Creators.cs rename to src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Bom/Creators.cs index 61f024ac..c20d90d2 100644 --- a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Bom/Creators.cs +++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Bom/Creators.cs @@ -1,102 +1,102 @@ -// This file is part of CycloneDX Library for .NET -// -// Licensed under the Apache License, Version 2.0 (the “License”); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an “AS IS” BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 -// Copyright (c) OWASP Foundation. All Rights Reserved. - -using System; -using System.Collections.Generic; -using System.Text.RegularExpressions; -using CycloneDX.Models; - -namespace CycloneDX.Spdx.Interop.Helpers -{ - public static class Creators - { - public static List GetSpdxCreators(this Bom bom) - { - var creators = new List(); - - if (bom.Metadata?.Tools?.Tools != null) - { - foreach (var tool in bom.Metadata.Tools.Tools) - { - creators.Add($"Tool: {tool.Name}-{tool.Version}"); - } - } - - if (bom.Metadata?.Authors != null) - { - var orgs = bom.Metadata.Properties?.GetSpdxElements(PropertyTaxonomy.CREATION_INFO_LICENSE_CREATORS_ORGANIZATIONS) ?? new List(); - foreach (var author in bom.Metadata.Authors) - { - if (orgs.Contains(author.Name)) - { - creators.Add($"Organization: {author.Name} ({author.Email})"); - } - else - { - creators.Add($"Person: {author.Name} ({author.Email})"); - } - } - } - - return creators.Count == 0 ? null : creators; - } - - public static void AddSpdxCreators(this Bom bom, List creators) - { - if (creators != null) - { - var toolRegex = new Regex(@"Tool: (?.*)-(?.*)"); - var nonToolRegex = new Regex(@"(Person|Organization): (?.*) \((?.*)\)"); - foreach (var creator in creators) - { - var toolMatch = toolRegex.Match(creator); - if (toolMatch.Success) - { - if (bom.Metadata == null) { bom.Metadata = new Metadata(); } - #pragma warning disable 618 - if (bom.Metadata?.Tools?.Tools == null) - { - bom.Metadata.Tools = new ToolChoices { Tools = new List() }; - } - bom.Metadata.Tools.Tools.Add(new Tool { - Name = toolMatch.Groups["name"].ToString(), - Version = toolMatch.Groups["version"].ToString(), - }); - #pragma warning restore 618 - } - else - { - var nonToolMatch = nonToolRegex.Match(creator); - if (nonToolMatch.Success) - { - if (bom.Metadata.Authors == null) { bom.Metadata.Authors = new List(); } - bom.Metadata.Authors.Add(new OrganizationalContact - { - Name = nonToolMatch.Groups["name"].ToString(), - Email = nonToolMatch.Groups["email"].ToString(), - }); - if (creator.StartsWith("Organization:")) - { - bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.CREATION_INFO_LICENSE_CREATORS_ORGANIZATIONS, nonToolMatch.Groups["name"].ToString()); - } - } - } - } - } - } - } -} +// This file is part of CycloneDX Library for .NET +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + +using System; +using System.Collections.Generic; +using System.Text.RegularExpressions; +using CycloneDX.Models; + +namespace CycloneDX.Spdx.Interop.Helpers +{ + public static class Creators + { + public static List GetSpdxCreators(this Bom bom) + { + var creators = new List(); + + if (bom.Metadata?.Tools?.Tools != null) + { + foreach (var tool in bom.Metadata.Tools.Tools) + { + creators.Add($"Tool: {tool.Name}-{tool.Version}"); + } + } + + if (bom.Metadata?.Authors != null) + { + var orgs = bom.Metadata.Properties?.GetSpdxElements(PropertyTaxonomy.CREATION_INFO_LICENSE_CREATORS_ORGANIZATIONS) ?? new List(); + foreach (var author in bom.Metadata.Authors) + { + if (orgs.Contains(author.Name)) + { + creators.Add($"Organization: {author.Name} ({author.Email})"); + } + else + { + creators.Add($"Person: {author.Name} ({author.Email})"); + } + } + } + + return creators.Count == 0 ? null : creators; + } + + public static void AddSpdxCreators(this Bom bom, List creators) + { + if (creators != null) + { + var toolRegex = new Regex(@"Tool: (?.*)-(?.*)"); + var nonToolRegex = new Regex(@"(Person|Organization): (?.*) \((?.*)\)"); + foreach (var creator in creators) + { + var toolMatch = toolRegex.Match(creator); + if (toolMatch.Success) + { + if (bom.Metadata == null) { bom.Metadata = new Metadata(); } + #pragma warning disable 618 + if (bom.Metadata?.Tools?.Tools == null) + { + bom.Metadata.Tools = new ToolChoices { Tools = new List() }; + } + bom.Metadata.Tools.Tools.Add(new Tool { + Name = toolMatch.Groups["name"].ToString(), + Version = toolMatch.Groups["version"].ToString(), + }); + #pragma warning restore 618 + } + else + { + var nonToolMatch = nonToolRegex.Match(creator); + if (nonToolMatch.Success) + { + if (bom.Metadata.Authors == null) { bom.Metadata.Authors = new List(); } + bom.Metadata.Authors.Add(new OrganizationalContact + { + Name = nonToolMatch.Groups["name"].ToString(), + Email = nonToolMatch.Groups["email"].ToString(), + }); + if (creator.StartsWith("Organization:")) + { + bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.CREATION_INFO_LICENSE_CREATORS_ORGANIZATIONS, nonToolMatch.Groups["name"].ToString()); + } + } + } + } + } + } + } +} diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Bom/Files.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Bom/Files.cs similarity index 83% rename from src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Bom/Files.cs rename to src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Bom/Files.cs index f2e53cf0..fe8ae3d9 100644 --- a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Bom/Files.cs +++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Bom/Files.cs @@ -1,112 +1,123 @@ -// This file is part of CycloneDX Library for .NET -// -// Licensed under the Apache License, Version 2.0 (the “License”); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an “AS IS” BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 -// Copyright (c) OWASP Foundation. All Rights Reserved. - -using System; -using System.Collections.Generic; -using System.Linq; -using CycloneDX.Models; -using CycloneDX.Spdx.Models.v2_2; - -namespace CycloneDX.Spdx.Interop.Helpers -{ - public static class Files - { - public static List GetSpdxFiles(this Bom bom) - { - List files = null; - if (bom.Components != null && bom.Components.Exists(c => c.Type == Component.Classification.File)) - { - files = new List(); - foreach (var component in bom.Components.Where(c => c.Type == Component.Classification.File)) - { - var file = new File - { - FileName = component.Name, - CopyrightText = component.Copyright ?? "NOASSERTION", - SPDXID = component.Properties?.GetSpdxElement(PropertyTaxonomy.SPDXID), - Comment = component.Properties?.GetSpdxElement(PropertyTaxonomy.COMMENT), - Annotations = component.Properties?.GetSpdxElements(PropertyTaxonomy.ANNOTATION), - LicenseComments = component.Properties?.GetSpdxElement(PropertyTaxonomy.LICENSE_COMMENTS), - LicenseConcluded = component.Properties?.GetSpdxElement(PropertyTaxonomy.LICENSE_CONCLUDED) ?? "NOASSERTION", - AttributionTexts = component.GetSpdxAttributionTexts(), - FileContributors = component.Properties?.GetSpdxElements( PropertyTaxonomy.FILE_CONTRIBUTOR), - NoticeText = component.Properties?.GetSpdxElement(PropertyTaxonomy.FILE_NOTICE_TEXT), - }; - - if (file.SPDXID == null) - { - if (component.BomRef == null) - { - file.SPDXID = "SPDXRef-File-" + (files.Count + 1).ToString(); - } - else - { - file.SPDXID = $"SPDXRef-{component.BomRef}"; - } - } - - if (component.Properties != null && component.Properties.Exists(p => p.Name == PropertyTaxonomy.FILE_TYPE)) - { - file.FileTypes = new List(); - foreach (var fileType in component.Properties.Where(p => p.Name == PropertyTaxonomy.FILE_TYPE)) - { - var fileTypeEnum = (FileType)Enum.Parse(typeof(FileType), fileType.Value); - file.FileTypes.Add(fileTypeEnum); - } - } - - file.Checksums = component.GetSpdxChecksums(); - - files.Add(file); - } - } - return files; - } - - public static void AddSpdxFiles(this Bom bom, List files) - { - if (files != null && files.Count > 0) - { - if (bom.Components == null) bom.Components = new List(); - foreach (var file in files) - { - var component = new Component - { - Type = Component.Classification.File, - Name = file.FileName, - Copyright = file.CopyrightText, - Properties = new List(), - }; - - component.Properties.AddSpdxElement(PropertyTaxonomy.SPDXID, file.SPDXID); - component.Properties.AddSpdxElement(PropertyTaxonomy.COMMENT, file.Comment); - component.Properties.AddSpdxElements(PropertyTaxonomy.FILE_TYPE, file.FileTypes); - component.Properties.AddSpdxElements(PropertyTaxonomy.ANNOTATION, file.Annotations); - component.Properties.AddSpdxElement(PropertyTaxonomy.LICENSE_COMMENTS, file.LicenseComments); - component.Properties.AddSpdxElement(PropertyTaxonomy.LICENSE_CONCLUDED, file.LicenseConcluded); - component.Properties.AddSpdxElements(PropertyTaxonomy.FILE_CONTRIBUTOR, file.FileContributors); - component.Properties.AddSpdxElement(PropertyTaxonomy.FILE_NOTICE_TEXT, file.NoticeText); - - component.AddSpdxAttributionTexts(file.AttributionTexts); - component.AddSpdxChecksums(file.Checksums); - - bom.Components.Add(component); - } - } - } - } -} +// This file is part of CycloneDX Library for .NET +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + +using System; +using System.Collections.Generic; +using System.Linq; +using CycloneDX.Models; +using CycloneDX.Spdx.Models.v2_3; + +namespace CycloneDX.Spdx.Interop.Helpers +{ + public static class Files + { + public static List GetSpdxFiles(this Bom bom) + { + List files = null; + if (bom.Components != null && bom.Components.Exists(c => c.Type == Component.Classification.File)) + { + files = new List(); + foreach (var component in bom.Components.Where(c => c.Type == Component.Classification.File)) + { + var file = new File + { + FileName = component.Name, + + SPDXID = component.Properties?.GetSpdxElement(PropertyTaxonomy.SPDXID), + Comment = component.Properties?.GetSpdxElement(PropertyTaxonomy.COMMENT), + Annotations = component.Properties?.GetSpdxElements(PropertyTaxonomy.ANNOTATION), + LicenseComments = component.Properties?.GetSpdxElement(PropertyTaxonomy.LICENSE_COMMENTS), + AttributionTexts = component.GetSpdxAttributionTexts(), + FileContributors = component.Properties?.GetSpdxElements( PropertyTaxonomy.FILE_CONTRIBUTOR), + NoticeText = component.Properties?.GetSpdxElement(PropertyTaxonomy.FILE_NOTICE_TEXT), + }; + + var copyrightText = component.Copyright; + if (!String.IsNullOrEmpty(copyrightText) && copyrightText != "NOASSERTION") + { + file.CopyrightText = copyrightText; + } + + var licenseConcluded = component.Properties?.GetSpdxElement(PropertyTaxonomy.LICENSE_CONCLUDED); + if (!String.IsNullOrEmpty(licenseConcluded) && licenseConcluded != "NOASSERTION") + { + file.LicenseConcluded = licenseConcluded; + } + + if (file.SPDXID == null) + { + if (component.BomRef == null) + { + file.SPDXID = "SPDXRef-File-" + (files.Count + 1).ToString(); + } + else + { + file.SPDXID = $"SPDXRef-{component.BomRef}"; + } + } + + if (component.Properties != null && component.Properties.Exists(p => p.Name == PropertyTaxonomy.FILE_TYPE)) + { + file.FileTypes = new List(); + foreach (var fileType in component.Properties.Where(p => p.Name == PropertyTaxonomy.FILE_TYPE)) + { + var fileTypeEnum = (FileType)Enum.Parse(typeof(FileType), fileType.Value); + file.FileTypes.Add(fileTypeEnum); + } + } + + file.Checksums = component.GetSpdxChecksums(); + + files.Add(file); + } + } + return files; + } + + public static void AddSpdxFiles(this Bom bom, List files) + { + if (files != null && files.Count > 0) + { + if (bom.Components == null) {bom.Components = new List();} + foreach (var file in files) + { + var component = new Component + { + Type = Component.Classification.File, + Name = file.FileName, + Copyright = file.CopyrightText, + Properties = new List(), + }; + + component.Properties.AddSpdxElement(PropertyTaxonomy.SPDXID, file.SPDXID); + component.Properties.AddSpdxElement(PropertyTaxonomy.COMMENT, file.Comment); + component.Properties.AddSpdxElements(PropertyTaxonomy.FILE_TYPE, file.FileTypes); + component.Properties.AddSpdxElements(PropertyTaxonomy.ANNOTATION, file.Annotations); + component.Properties.AddSpdxElement(PropertyTaxonomy.LICENSE_COMMENTS, file.LicenseComments); + component.Properties.AddSpdxElement(PropertyTaxonomy.LICENSE_CONCLUDED, file.LicenseConcluded); + component.Properties.AddSpdxElements(PropertyTaxonomy.FILE_CONTRIBUTOR, file.FileContributors); + component.Properties.AddSpdxElement(PropertyTaxonomy.FILE_NOTICE_TEXT, file.NoticeText); + + component.AddSpdxAttributionTexts(file.AttributionTexts); + component.AddSpdxChecksums(file.Checksums); + + bom.Components.Add(component); + } + } + } + } +} diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Component/AttributionTexts.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/AttributionTexts.cs similarity index 97% rename from src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Component/AttributionTexts.cs rename to src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/AttributionTexts.cs index cbe7f49b..9cf80b6b 100644 --- a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Component/AttributionTexts.cs +++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/AttributionTexts.cs @@ -1,59 +1,59 @@ -// This file is part of CycloneDX Library for .NET -// -// Licensed under the Apache License, Version 2.0 (the “License”); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an “AS IS” BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 -// Copyright (c) OWASP Foundation. All Rights Reserved. - -using System; -using System.Collections.Generic; -using CycloneDX.Models; - -namespace CycloneDX.Spdx.Interop.Helpers -{ - public static class AttributionTexts - { - public static List GetSpdxAttributionTexts(this Component component) - { - if (component.Evidence?.Copyright != null) - { - var texts = new List(); - foreach (var copyright in component.Evidence.Copyright) - { - texts.Add(copyright.Text); - } - return texts; - } - else - { - return null; - } - } - - public static void AddSpdxAttributionTexts(this Component component, List attributionTexts) - { - if (attributionTexts != null) - { - if (component.Evidence == null) { component.Evidence = new Evidence(); } - if (component.Evidence.Copyright == null) { component.Evidence.Copyright = new List(); } - foreach (var attribution in attributionTexts) - { - component.Evidence.Copyright.Add(new EvidenceCopyright - { - Text = attribution, - }); - } - } - } - } -} +// This file is part of CycloneDX Library for .NET +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + +using System; +using System.Collections.Generic; +using CycloneDX.Models; + +namespace CycloneDX.Spdx.Interop.Helpers +{ + public static class AttributionTexts + { + public static List GetSpdxAttributionTexts(this Component component) + { + if (component.Evidence?.Copyright != null) + { + var texts = new List(); + foreach (var copyright in component.Evidence.Copyright) + { + texts.Add(copyright.Text); + } + return texts; + } + else + { + return null; + } + } + + public static void AddSpdxAttributionTexts(this Component component, List attributionTexts) + { + if (attributionTexts != null) + { + if (component.Evidence == null) { component.Evidence = new Evidence(); } + if (component.Evidence.Copyright == null) { component.Evidence.Copyright = new List(); } + foreach (var attribution in attributionTexts) + { + component.Evidence.Copyright.Add(new EvidenceCopyright + { + Text = attribution, + }); + } + } + } + } +} diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Component/Checksums.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/Checksums.cs similarity index 57% rename from src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Component/Checksums.cs rename to src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/Checksums.cs index 0b56d342..62049e25 100644 --- a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Component/Checksums.cs +++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/Checksums.cs @@ -1,180 +1,294 @@ -// This file is part of CycloneDX Library for .NET -// -// Licensed under the Apache License, Version 2.0 (the “License”); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an “AS IS” BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 -// Copyright (c) OWASP Foundation. All Rights Reserved. - -using System; -using System.Collections.Generic; -using System.Linq; -using CycloneDX.Models; -using CycloneDX.Spdx.Models.v2_2; - -namespace CycloneDX.Spdx.Interop.Helpers -{ - public static class Checksums - { - public static List GetSpdxChecksums(this Component component) - { - var checksums = new List(); - - if (component.Hashes != null && component.Hashes.Count > 0) - { - foreach (var hash in component.Hashes) - { - switch (hash.Alg) - { - case Hash.HashAlgorithm.SHA_1: - checksums.Add(new Checksum - { - Algorithm = ChecksumAlgorithm.SHA1, - ChecksumValue = hash.Content, - }); - break; - case Hash.HashAlgorithm.SHA_256: - checksums.Add(new Checksum - { - Algorithm = ChecksumAlgorithm.SHA256, - ChecksumValue = hash.Content, - }); - break; - case Hash.HashAlgorithm.SHA_384: - checksums.Add(new Checksum - { - Algorithm = ChecksumAlgorithm.SHA384, - ChecksumValue = hash.Content, - }); - break; - case Hash.HashAlgorithm.SHA_512: - checksums.Add(new Checksum - { - Algorithm = ChecksumAlgorithm.SHA512, - ChecksumValue = hash.Content, - }); - break; - case Hash.HashAlgorithm.MD5: - checksums.Add(new Checksum - { - Algorithm = ChecksumAlgorithm.MD5, - ChecksumValue = hash.Content, - }); - break; - } - } - } - - if (component.Properties != null && component.Properties.Exists(p => p.Name.StartsWith(PropertyTaxonomy.CHECKSUM))) - { - foreach (var checksum in component.Properties.Where(p => p.Name.StartsWith(PropertyTaxonomy.CHECKSUM))) - { - switch (checksum.Name) - { - case PropertyTaxonomy.CHECKSUM_SHA224: - checksums.Add(new Checksum - { - Algorithm = ChecksumAlgorithm.SHA224, - ChecksumValue = checksum.Value, - }); - break; - case PropertyTaxonomy.CHECKSUM_MD2: - checksums.Add(new Checksum - { - Algorithm = ChecksumAlgorithm.MD2, - ChecksumValue = checksum.Value, - }); - break; - case PropertyTaxonomy.CHECKSUM_MD4: - checksums.Add(new Checksum - { - Algorithm = ChecksumAlgorithm.MD4, - ChecksumValue = checksum.Value, - }); - break; - case PropertyTaxonomy.CHECKSUM_MD6: - checksums.Add(new Checksum - { - Algorithm = ChecksumAlgorithm.MD6, - ChecksumValue = checksum.Value, - }); - break; - } - } - } - - return checksums.Count == 0 ? null : checksums; - } - - public static void AddSpdxChecksums(this Component component, List checksums) - { - if (checksums != null && checksums.Count > 0) - { - if (component.Properties == null) { component.Properties = new List(); } - if (component.Hashes == null) { component.Hashes = new List(); } - foreach (var checksum in checksums) - { - switch (checksum.Algorithm) - { - case ChecksumAlgorithm.SHA1: - component.Hashes.Add(new Hash - { - Alg = Hash.HashAlgorithm.SHA_1, - Content = checksum.ChecksumValue, - }); - break; - case ChecksumAlgorithm.SHA224: - component.Properties.AddSpdxElement(PropertyTaxonomy.CHECKSUM_SHA224, checksum.ChecksumValue); - break; - case ChecksumAlgorithm.SHA256: - component.Hashes.Add(new Hash - { - Alg = Hash.HashAlgorithm.SHA_256, - Content = checksum.ChecksumValue, - }); - break; - case ChecksumAlgorithm.SHA384: - component.Hashes.Add(new Hash - { - Alg = Hash.HashAlgorithm.SHA_384, - Content = checksum.ChecksumValue, - }); - break; - case ChecksumAlgorithm.SHA512: - component.Hashes.Add(new Hash - { - Alg = Hash.HashAlgorithm.SHA_512, - Content = checksum.ChecksumValue, - }); - break; - case ChecksumAlgorithm.MD2: - component.Properties.AddSpdxElement(PropertyTaxonomy.CHECKSUM_MD2, checksum.ChecksumValue); - break; - case ChecksumAlgorithm.MD4: - component.Properties.AddSpdxElement(PropertyTaxonomy.CHECKSUM_MD4, checksum.ChecksumValue); - break; - case ChecksumAlgorithm.MD5: - component.Hashes.Add(new Hash - { - Alg = Hash.HashAlgorithm.MD5, - Content = checksum.ChecksumValue, - }); - break; - case ChecksumAlgorithm.MD6: - component.Properties.AddSpdxElement(PropertyTaxonomy.CHECKSUM_MD6, checksum.ChecksumValue); - break; - } - } - } - } - } -} +// This file is part of CycloneDX Library for .NET +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + +using System; +using System.Collections.Generic; +using System.Linq; +using CycloneDX.Models; +using CycloneDX.Spdx.Models.v2_3; + +namespace CycloneDX.Spdx.Interop.Helpers +{ + public static class Checksums + { + public static List GetSpdxChecksums(this Component component) + { + var checksums = new List(); + + if (component.Hashes != null && component.Hashes.Count > 0) + { + foreach (var hash in component.Hashes) + { + switch (hash.Alg) + { + case Hash.HashAlgorithm.SHA_1: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.SHA1, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.SHA_256: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.SHA256, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.SHA_384: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.SHA384, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.SHA_512: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.SHA512, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.MD5: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.MD5, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.SHA3_256: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.SHA3_256, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.SHA3_384: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.SHA3_384, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.SHA3_512: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.SHA3_512, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.BLAKE2b_256: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.BLAKE2b_256, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.BLAKE2b_384: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.BLAKE2b_384, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.BLAKE2b_512: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.BLAKE2b_512, + ChecksumValue = hash.Content, + }); + break; + case Hash.HashAlgorithm.BLAKE3: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.BLAKE3, + ChecksumValue = hash.Content, + }); + break; + default: + throw new ArgumentOutOfRangeException(nameof(hash.Alg), $"Unsupported hash algorithm: {hash.Alg}"); + } + } + } + + if (component.Properties != null && component.Properties.Exists(p => p.Name.StartsWith(PropertyTaxonomy.CHECKSUM))) + { + foreach (var checksum in component.Properties.Where(p => p.Name.StartsWith(PropertyTaxonomy.CHECKSUM))) + { + switch (checksum.Name) + { + case PropertyTaxonomy.CHECKSUM_SHA224: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.SHA224, + ChecksumValue = checksum.Value, + }); + break; + case PropertyTaxonomy.CHECKSUM_MD2: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.MD2, + ChecksumValue = checksum.Value, + }); + break; + case PropertyTaxonomy.CHECKSUM_MD4: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.MD4, + ChecksumValue = checksum.Value, + }); + break; + case PropertyTaxonomy.CHECKSUM_MD6: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.MD6, + ChecksumValue = checksum.Value, + }); + break; + case PropertyTaxonomy.CHECKSUM_ADLER32: + checksums.Add(new Checksum + { + Algorithm = ChecksumAlgorithm.ADLER32, + ChecksumValue = checksum.Value, + }); + break; + default: + throw new ArgumentOutOfRangeException(nameof(checksum.Name), $"Unsupported hash algorithm: {checksum.Name}"); + } + } + } + + return checksums.Count == 0 ? null : checksums; + } + + public static void AddSpdxChecksums(this Component component, List checksums) + { + if (checksums != null && checksums.Count > 0) + { + if (component.Properties == null) { component.Properties = new List(); } + if (component.Hashes == null) { component.Hashes = new List(); } + foreach (var checksum in checksums) + { + switch (checksum.Algorithm) + { + case ChecksumAlgorithm.SHA1: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.SHA_1, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.SHA224: + component.Properties.AddSpdxElement(PropertyTaxonomy.CHECKSUM_SHA224, checksum.ChecksumValue); + break; + case ChecksumAlgorithm.SHA256: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.SHA_256, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.SHA384: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.SHA_384, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.SHA512: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.SHA_512, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.MD2: + component.Properties.AddSpdxElement(PropertyTaxonomy.CHECKSUM_MD2, checksum.ChecksumValue); + break; + case ChecksumAlgorithm.MD4: + component.Properties.AddSpdxElement(PropertyTaxonomy.CHECKSUM_MD4, checksum.ChecksumValue); + break; + case ChecksumAlgorithm.MD5: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.MD5, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.MD6: + component.Properties.AddSpdxElement(PropertyTaxonomy.CHECKSUM_MD6, checksum.ChecksumValue); + break; + case ChecksumAlgorithm.SHA3_256: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.SHA3_256, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.SHA3_384: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.SHA3_384, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.SHA3_512: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.SHA3_512, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.BLAKE2b_256: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.BLAKE2b_256, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.BLAKE2b_384: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.BLAKE2b_384, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.BLAKE2b_512: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.BLAKE2b_512, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.BLAKE3: + component.Hashes.Add(new Hash + { + Alg = Hash.HashAlgorithm.BLAKE3, + Content = checksum.ChecksumValue, + }); + break; + case ChecksumAlgorithm.ADLER32: + component.Properties.AddSpdxElement(PropertyTaxonomy.CHECKSUM_ADLER32, checksum.ChecksumValue); + break; + default: + throw new ArgumentOutOfRangeException(nameof(checksum.Algorithm), $"Unsupported checksum algorithm: {checksum.Algorithm}"); + } + } + } + } + } +} \ No newline at end of file diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Component/ExternalRefs.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/ExternalRefs.cs similarity index 59% rename from src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Component/ExternalRefs.cs rename to src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/ExternalRefs.cs index d3c23d8b..c1db2e35 100644 --- a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/Component/ExternalRefs.cs +++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/ExternalRefs.cs @@ -1,153 +1,151 @@ -// This file is part of CycloneDX Library for .NET -// -// Licensed under the Apache License, Version 2.0 (the “License”); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an “AS IS” BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 -// Copyright (c) OWASP Foundation. All Rights Reserved. - -using System; -using System.Collections.Generic; -using System.Linq; -using CycloneDX.Models; -using CycloneDX.Spdx.Models.v2_2; - -namespace CycloneDX.Spdx.Interop.Helpers -{ - public static class ExternalRefs - { - public static List GetSpdxExternalRefs(this Component component) - { - if (component.Properties == null) - { - return null; - } - var extRefs = new List(); - foreach (var extRefProp in component.Properties.Where(p => p.Name.StartsWith(PropertyTaxonomy.EXTERNAL_REFERENCE))) - { - var extRef = new ExternalRef(); - if (extRefProp.Name.StartsWith(PropertyTaxonomy.EXTERNAL_REFERENCE_OTHER)) - { - extRef.ReferenceCategory = ExternalRefCategory.OTHER; - extRef.ReferenceType = extRefProp.Name.Substring(PropertyTaxonomy.EXTERNAL_REFERENCE_OTHER.Length + 1); - } - else switch (extRefProp.Name) - { - case PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE22: - extRef.ReferenceCategory = ExternalRefCategory.SECURITY; - extRef.ReferenceType = "cpe22Type"; - break; - case PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE23: - extRef.ReferenceCategory = ExternalRefCategory.SECURITY; - extRef.ReferenceType = "cpe23Type"; - break; - case PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_MAVEN_CENTRAL: - extRef.ReferenceCategory = ExternalRefCategory.PACKAGE_MANAGER; - extRef.ReferenceType = "maven-central"; - break; - case PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_NPM: - extRef.ReferenceCategory = ExternalRefCategory.PACKAGE_MANAGER; - extRef.ReferenceType = "npm"; - break; - case PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_NUGET: - extRef.ReferenceCategory = ExternalRefCategory.PACKAGE_MANAGER; - extRef.ReferenceType = "nuget"; - break; - case PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_BOWER: - extRef.ReferenceCategory = ExternalRefCategory.PACKAGE_MANAGER; - extRef.ReferenceType = "bower"; - break; - case PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_PURL: - extRef.ReferenceCategory = ExternalRefCategory.PACKAGE_MANAGER; - extRef.ReferenceType = "purl"; - break; - //TODO add this back in once the SPDX JSON schema is fixed https://github.com/spdx/spdx-spec/issues/612 - //TODO and write corresponding code in AddExternalRefsToCDX - // case PropertyTaxonomy.EXTERNAL_REFERENCE_PERSISTENT_ID_SWH: - // extRef.ReferenceCategory = ExternalRefCategory.PERSISTENT_ID; - // extRef.ReferenceType = "swh"; - // break; - } - if (extRef.ReferenceType != null) - { - var parts = extRefProp.Value.Split(' '); - extRef.ReferenceLocator = parts[0]; - if (parts.Length > 1) - { - extRef.Comment = String.Join(" ", extRefProp.Value.Split(' ').Skip(1).ToList()); - } - extRefs.Add(extRef); - } - } - return extRefs.Count == 0 ? null : extRefs; - } - - public static void AddSpdxExternalRefs(this Component component, List externalRefs) - { - if (externalRefs != null && externalRefs.Count > 0) - { - if (component.Properties == null) { component.Properties = new List(); } - foreach (var extRef in externalRefs) - { - string refPropName = null; - if (extRef.ReferenceCategory == ExternalRefCategory.SECURITY) - { - switch (extRef.ReferenceType) - { - case "cpe22Type": - refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE22; - break; - case "cpe23Type": - refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE23; - break; - } - } - else if (extRef.ReferenceCategory == ExternalRefCategory.PACKAGE_MANAGER) - { - switch (extRef.ReferenceType) - { - case "maven-central": - refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_MAVEN_CENTRAL; - break; - case "npm": - refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_NPM; - break; - case "nuget": - refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_NUGET; - break; - case "bower": - refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_BOWER; - break; - case "purl": - refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_PURL; - break; - } - } - else if (extRef.ReferenceCategory == ExternalRefCategory.OTHER) - { - refPropName = $"{PropertyTaxonomy.EXTERNAL_REFERENCE_OTHER}:{extRef.ReferenceType}"; - } - - if (refPropName != null) - { - var refPropValue = extRef.ReferenceLocator; - if (extRef.Comment != null) - { - refPropValue = $"{extRef.ReferenceLocator} {extRef.Comment}"; - } - component.Properties.AddSpdxElement(refPropName, refPropValue); - } - } - } - } - } -} +// This file is part of CycloneDX Library for .NET +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + +using System; +using System.Collections.Generic; +using System.Linq; +using CycloneDX.Models; +using CycloneDX.Spdx.Models.v2_3; + +namespace CycloneDX.Spdx.Interop.Helpers +{ + public static class ExternalRefs + { + public static List GetSpdxExternalRefs(this Component component) + { + if (component.Properties == null) + { + return null; + } + var extRefs = new List(); + foreach (var extRefProp in component.Properties.Where(p => p.Name.StartsWith(PropertyTaxonomy.EXTERNAL_REFERENCE))) + { + var extRef = new ExternalRef(); + if (extRefProp.Name.StartsWith(PropertyTaxonomy.EXTERNAL_REFERENCE_OTHER)) + { + extRef.ReferenceCategory = ExternalRefCategory.OTHER; + extRef.ReferenceType = extRefProp.Name.Substring(PropertyTaxonomy.EXTERNAL_REFERENCE_OTHER.Length + 1); + } + else { + switch (extRefProp.Name) + { + case PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE22: + extRef.ReferenceCategory = ExternalRefCategory.SECURITY; + extRef.ReferenceType = "cpe22Type"; + break; + case PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE23: + extRef.ReferenceCategory = ExternalRefCategory.SECURITY; + extRef.ReferenceType = "cpe23Type"; + break; + case PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_MAVEN_CENTRAL: + extRef.ReferenceCategory = ExternalRefCategory.PACKAGE_MANAGER; + extRef.ReferenceType = "maven-central"; + break; + case PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_NPM: + extRef.ReferenceCategory = ExternalRefCategory.PACKAGE_MANAGER; + extRef.ReferenceType = "npm"; + break; + case PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_NUGET: + extRef.ReferenceCategory = ExternalRefCategory.PACKAGE_MANAGER; + extRef.ReferenceType = "nuget"; + break; + case PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_BOWER: + extRef.ReferenceCategory = ExternalRefCategory.PACKAGE_MANAGER; + extRef.ReferenceType = "bower"; + break; + case PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_PURL: + extRef.ReferenceCategory = ExternalRefCategory.PACKAGE_MANAGER; + extRef.ReferenceType = "purl"; + break; + case PropertyTaxonomy.EXTERNAL_REFERENCE_PERSISTENT_ID_SWH: + extRef.ReferenceCategory = ExternalRefCategory.PERSISTENT_ID; + extRef.ReferenceType = "swh"; + break; + default: + throw new ArgumentOutOfRangeException(nameof(extRefProp.Name), $"Unsupported external reference property: {extRefProp.Name}"); + } + } + if (extRef.ReferenceType != null) + { + var parts = extRefProp.Value.Split(' '); + extRef.ReferenceLocator = parts[0]; + if (parts.Length > 1) + { + extRef.Comment = String.Join(" ", extRefProp.Value.Split(' ').Skip(1).ToList()); + } + extRefs.Add(extRef); + } + } + return extRefs.Count == 0 ? null : extRefs; + } + + public static void AddSpdxExternalRefs(this Component component, List externalRefs) + { + if (externalRefs != null && externalRefs.Count > 0) + { + if (component.Properties == null) { component.Properties = new List(); } + foreach (var extRef in externalRefs) + { + string refPropName = null; + if (extRef.ReferenceCategory == ExternalRefCategory.SECURITY) + { + if(extRef.ReferenceType == "cpe22Type") { refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE22; } + else if(extRef.ReferenceType == "cpe23Type"){ refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE23; } + } + else if (extRef.ReferenceCategory == ExternalRefCategory.PACKAGE_MANAGER) + { + switch (extRef.ReferenceType) + { + case "maven-central": + refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_MAVEN_CENTRAL; + break; + case "npm": + refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_NPM; + break; + case "nuget": + refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_NUGET; + break; + case "bower": + refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_BOWER; + break; + case "purl": + refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_PURL; + break; + default: + throw new ArgumentOutOfRangeException(nameof(extRef.ReferenceType), $"Unsupported external reference type: {extRef.ReferenceType}"); + } + } + else if (extRef.ReferenceCategory == ExternalRefCategory.PERSISTENT_ID) { refPropName = PropertyTaxonomy.EXTERNAL_REFERENCE_PERSISTENT_ID_SWH; } + else if (extRef.ReferenceCategory == ExternalRefCategory.OTHER) + { + refPropName = $"{PropertyTaxonomy.EXTERNAL_REFERENCE_OTHER}:{extRef.ReferenceType}"; + } + + if (refPropName != null) + { + var refPropValue = extRef.ReferenceLocator; + if (extRef.Comment != null) + { + refPropValue = $"{extRef.ReferenceLocator} {extRef.Comment}"; + } + component.Properties.AddSpdxElement(refPropName, refPropValue); + } + } + } + } + } +} diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/CycloneDXBomHelpers.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/CycloneDXBomHelpers.cs similarity index 81% rename from src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/CycloneDXBomHelpers.cs rename to src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/CycloneDXBomHelpers.cs index 3d244864..63eeba46 100644 --- a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/CycloneDXBomHelpers.cs +++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/CycloneDXBomHelpers.cs @@ -1,212 +1,245 @@ -// This file is part of CycloneDX Library for .NET -// -// Licensed under the Apache License, Version 2.0 (the “License”); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an “AS IS” BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 -// Copyright (c) OWASP Foundation. All Rights Reserved. - -using System; -using System.Collections.Generic; -using System.Linq; -using System.Text.RegularExpressions; -using CycloneDX.Models; -using CycloneDX.Spdx.Models.v2_2; - -namespace CycloneDX.Spdx.Interop.Helpers -{ - public static class CycloneDXBomHelpers - { - public static void AddSpdxPackages(this Bom bom, SpdxDocument doc) - { - if (doc.Packages == null || doc.Packages.Count == 0) { return; } - if (bom.Components == null) { bom.Components = new List(); } - foreach (var package in doc.Packages) - { - var component = new Component - { - Type = Component.Classification.Library, - Name = package.Name, - Version = package.VersionInfo, - Copyright = package.CopyrightText, - Description = package.Description, - Properties = new List(), - }; - component.Properties.AddSpdxElement(PropertyTaxonomy.SPDXID, package.SPDXID); - component.Properties.AddSpdxElements(PropertyTaxonomy.ANNOTATION, package.Annotations); - component.Properties.AddSpdxElement(PropertyTaxonomy.FILES_ANALYZED, package.FilesAnalyzed); - component.Properties.AddSpdxElement(PropertyTaxonomy.LICENSE_COMMENTS, package.LicenseComments); - component.Properties.AddSpdxElement(PropertyTaxonomy.LICENSE_CONCLUDED, package.LicenseConcluded); - component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_FILENAME, package.PackageFileName); - component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_VERIFICATION_CODE_VALUE, package.PackageVerificationCode?.PackageVerificationCodeValue); - component.Properties.AddSpdxElements(PropertyTaxonomy.PACKAGE_VERIFICATION_CODE_EXCLUDED_FILE, package.PackageVerificationCode?.PackageVerificationCodeExcludedFiles); - component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_SOURCE_INFO, package.SourceInfo); - component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_SUMMARY, package.Summary); - component.Properties.AddSpdxElement(PropertyTaxonomy.COMMENT, package.Comment); - - if (package.LicenseInfoFromFiles != null && package.LicenseInfoFromFiles.Count > 0) - { - if (component.Evidence == null) { component.Evidence = new Evidence(); } - if (component.Evidence.Licenses == null) { component.Evidence.Licenses = new List(); } - foreach (var licenseInfo in package.LicenseInfoFromFiles) - { - if (licenseInfo.StartsWith("LicenseRef-") - && doc.HasExtractedLicensingInfos != null - && doc.HasExtractedLicensingInfos.Exists(l => l.LicenseId == licenseInfo)) - { - var license = doc.HasExtractedLicensingInfos.First(l => l.LicenseId == licenseInfo); - component.Evidence.Licenses.Add(new LicenseChoice - { - License = new License - { - Name = license.Name, - Text = new AttachedText - { - ContentType = "text/plain", - Encoding = "base64", - Content = license.ExtractedText.Base64Encode(), - }, - Url = license.SeeAlsos?.FirstOrDefault(), - } - }); - } - else if (licenseInfo.StartsWith("LicenseRef-") || licenseInfo.StartsWith("DocumentRef-")) - { - component.Evidence.Licenses.Add(new LicenseChoice - { - License = new License - { - Name = licenseInfo, - } - }); - } - else if (licenseInfo == "NONE" || licenseInfo == "NOASSERTION") - { - // don't do anything for this case - } - else - { - component.Evidence.Licenses.Add(new LicenseChoice - { - License = new License - { - Id = licenseInfo, - } - }); - } - } - } - - if (package.LicenseDeclared == "NOASSERTION") - { - component.Properties.AddSpdxElement(PropertyTaxonomy.LICENSE_DECLARED, package.LicenseDeclared); - } - else if (package.LicenseDeclared == "NONE") - { - component.Licenses = new List(); - } - else - { - component.Licenses = new List { new LicenseChoice { Expression = package.LicenseDeclared } }; - } - - if (package.Originator != null) - { - if (package.Originator == "NOASSERTION") - { - component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR, package.Originator); - } - else - { - var originatorRegex = new Regex(@"(Person|Organization): (?.*) \((?.*)\)"); - var originatorMatch = originatorRegex.Match(package.Originator); - if (originatorMatch.Success) - { - #pragma warning disable 618 - component.Author = originatorMatch.Groups["name"].ToString(); - #pragma warning restore 618 - if (package.Originator.ToLowerInvariant().StartsWith("organization:")) - { - #pragma warning disable 618 - component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR_ORGANIZATION, component.Author); - #pragma warning restore 618 - } - component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR_EMAIL, originatorMatch.Groups["email"].ToString()); - } - } - } - - if (package.Supplier != null) - { - if (package.Supplier == "NOASSERTION") - { - component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_SUPPLIER, package.Supplier); - } - else - { - var supplierRegex = new Regex(@"(Person|Organization): (?.*) \((?.*)\)"); - var supplierMatch = supplierRegex.Match(package.Supplier); - if (supplierMatch.Success) - { - component.Supplier = new OrganizationalEntity - { - Name = supplierMatch.Groups["name"].ToString(), - Contact = new List - { - new OrganizationalContact - { - Email = supplierMatch.Groups["email"].ToString() - } - }, - }; - if (package.Supplier.ToLowerInvariant().StartsWith("organization:")) - { - component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_SUPPLIER_ORGANIZATION, component.Supplier.Name); - } - } - } - } - - component.AddSpdxAttributionTexts(package.AttributionTexts); - component.AddSpdxChecksums(package.Checksums); - component.AddSpdxExternalRefs(package.ExternalRefs); - - if (package.DownloadLocation != null) - { - if (component.ExternalReferences == null) component.ExternalReferences = new List(); - component.ExternalReferences.Add(new ExternalReference - { - Type = ExternalReference.ExternalReferenceType.Distribution, - Url = package.DownloadLocation, - }); - component.Properties.AddSpdxElement(PropertyTaxonomy.DOWNLOAD_LOCATION, package.DownloadLocation); - } - - if (package.Homepage != null) - { - if (component.ExternalReferences == null) component.ExternalReferences = new List(); - component.ExternalReferences.Add(new ExternalReference - { - Type = ExternalReference.ExternalReferenceType.Website, - Url = package.Homepage, - }); - component.Properties.AddSpdxElement(PropertyTaxonomy.HOMEPAGE, package.Homepage); - } - - //TODO HasFile - - bom.Components.Add(component); - } - } - - } -} +// This file is part of CycloneDX Library for .NET +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text.RegularExpressions; +using CycloneDX.Models; +using CycloneDX.Spdx.Models.v2_3; + +namespace CycloneDX.Spdx.Interop.Helpers +{ + public static class CycloneDXBomHelpers + { + public static void AddSpdxPackages(this Bom bom, SpdxDocument doc) + { + if (doc.Packages == null || doc.Packages.Count == 0) { return; } + if (bom.Components == null) { bom.Components = new List(); } + foreach (var package in doc.Packages) + { + var component = new Component + { + Name = package.Name, + Version = package.VersionInfo, + Copyright = package.CopyrightText, + Description = package.Description, + Properties = new List(), + }; + component.Properties.AddSpdxElement(PropertyTaxonomy.SPDXID, package.SPDXID); + component.Properties.AddSpdxElements(PropertyTaxonomy.ANNOTATION, package.Annotations); + component.Properties.AddSpdxElement(PropertyTaxonomy.FILES_ANALYZED, package.FilesAnalyzed); + component.Properties.AddSpdxElement(PropertyTaxonomy.LICENSE_COMMENTS, package.LicenseComments); + component.Properties.AddSpdxElement(PropertyTaxonomy.LICENSE_CONCLUDED, package.LicenseConcluded); + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_FILENAME, package.PackageFileName); + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_VERIFICATION_CODE_VALUE, package.PackageVerificationCode?.PackageVerificationCodeValue); + component.Properties.AddSpdxElements(PropertyTaxonomy.PACKAGE_VERIFICATION_CODE_EXCLUDED_FILE, package.PackageVerificationCode?.PackageVerificationCodeExcludedFiles); + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_SOURCE_INFO, package.SourceInfo); + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_SUMMARY, package.Summary); + component.Properties.AddSpdxElement(PropertyTaxonomy.COMMENT, package.Comment); + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_BUILT_DATE, package.BuiltDate?.ToString("yyyy-MM-ddTHH:mm:ss'Z'")); + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_RELEASE_DATE, package.ReleaseDate?.ToString("yyyy-MM-ddTHH:mm:ss'Z'")); + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_VALID_UNTIL_DATE, package.ValidUntilDate?.ToString("yyyy-MM-ddTHH:mm:ss'Z'")); + + //Type + if (package.PrimaryPackagePurpose != null) + { + switch (package.PrimaryPackagePurpose) + { + case PrimaryPackagePurposeType.APPLICATION: + component.Type = Component.Classification.Application; + break; + case PrimaryPackagePurposeType.FIRMWARE: + component.Type = Component.Classification.Firmware; + break; + case PrimaryPackagePurposeType.FRAMEWORK: + component.Type = Component.Classification.Framework; + break; + case PrimaryPackagePurposeType.OPERATING_SYSTEM: + component.Type = Component.Classification.Operating_System; + break; + case PrimaryPackagePurposeType.CONTAINER: + component.Type = Component.Classification.Container; + break; + default: + component.Type = Component.Classification.Library; + break; + } + } + else + { + component.Type = Component.Classification.Library; + } + + + if (package.LicenseInfoFromFiles != null && package.LicenseInfoFromFiles.Count > 0) + { + if (component.Evidence == null) { component.Evidence = new Evidence(); } + if (component.Evidence.Licenses == null) { component.Evidence.Licenses = new List(); } + foreach (var licenseInfo in package.LicenseInfoFromFiles) + { + if (licenseInfo.StartsWith("LicenseRef-") + && doc.HasExtractedLicensingInfos != null + && doc.HasExtractedLicensingInfos.Exists(l => l.LicenseId == licenseInfo)) + { + var license = doc.HasExtractedLicensingInfos.First(l => l.LicenseId == licenseInfo); + component.Evidence.Licenses.Add(new LicenseChoice + { + License = new License + { + Name = license.Name, + Text = new AttachedText + { + ContentType = "text/plain", + Encoding = "base64", + Content = license.ExtractedText.Base64Encode(), + }, + Url = license.SeeAlsos?.FirstOrDefault(), + } + }); + } + else if (licenseInfo.StartsWith("LicenseRef-") || licenseInfo.StartsWith("DocumentRef-")) + { + component.Evidence.Licenses.Add(new LicenseChoice + { + License = new License + { + Name = licenseInfo, + } + }); + } + else if (licenseInfo == "NONE" || licenseInfo == "NOASSERTION") + { + // don't do anything for this case + } + else + { + component.Evidence.Licenses.Add(new LicenseChoice + { + License = new License + { + Id = licenseInfo, + } + }); + } + } + } + + if (package.LicenseDeclared == "NOASSERTION") + { + component.Properties.AddSpdxElement(PropertyTaxonomy.LICENSE_DECLARED, package.LicenseDeclared); + } + else if (package.LicenseDeclared == "NONE") + { + component.Licenses = new List(); + } + else + { + component.Licenses = new List { new LicenseChoice { Expression = package.LicenseDeclared } }; + } + + if (package.Originator != null) + { + if (package.Originator == "NOASSERTION") + { + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR, package.Originator); + } + else + { + var originatorRegex = new Regex(@"(Person|Organization): (?.*) \((?.*)\)"); + var originatorMatch = originatorRegex.Match(package.Originator); + if (originatorMatch.Success) + { + #pragma warning disable 618 + component.Author = originatorMatch.Groups["name"].ToString(); + #pragma warning restore 618 + if (package.Originator.ToLowerInvariant().StartsWith("organization:")) + { + #pragma warning disable 618 + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR_ORGANIZATION, component.Author); + #pragma warning restore 618 + } + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR_EMAIL, originatorMatch.Groups["email"].ToString()); + } + } + } + + if (package.Supplier != null) + { + if (package.Supplier == "NOASSERTION") + { + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_SUPPLIER, package.Supplier); + } + else + { + var supplierRegex = new Regex(@"(Person|Organization): (?.*) \((?.*)\)"); + var supplierMatch = supplierRegex.Match(package.Supplier); + if (supplierMatch.Success) + { + component.Supplier = new OrganizationalEntity + { + Name = supplierMatch.Groups["name"].ToString(), + Contact = new List + { + new OrganizationalContact + { + Email = supplierMatch.Groups["email"].ToString() + } + }, + }; + if (package.Supplier.ToLowerInvariant().StartsWith("organization:")) + { + component.Properties.AddSpdxElement(PropertyTaxonomy.PACKAGE_SUPPLIER_ORGANIZATION, component.Supplier.Name); + } + } + } + } + + component.AddSpdxAttributionTexts(package.AttributionTexts); + component.AddSpdxChecksums(package.Checksums); + component.AddSpdxExternalRefs(package.ExternalRefs); + + if (package.DownloadLocation != null) + { + if (component.ExternalReferences == null) { component.ExternalReferences = new List(); } + component.ExternalReferences.Add(new ExternalReference + { + Type = ExternalReference.ExternalReferenceType.Distribution, + Url = package.DownloadLocation, + }); + component.Properties.AddSpdxElement(PropertyTaxonomy.DOWNLOAD_LOCATION, package.DownloadLocation); + } + + if (package.Homepage != null && package.Homepage != "NOASSERTION") + { + if (component.ExternalReferences == null) { component.ExternalReferences = new List(); } + component.ExternalReferences.Add(new ExternalReference + { + Type = ExternalReference.ExternalReferenceType.Website, + Url = package.Homepage, + }); + component.Properties.AddSpdxElement(PropertyTaxonomy.HOMEPAGE, package.Homepage); + } + + //TODO HasFile + + bom.Components.Add(component); + } + } + + } +} \ No newline at end of file diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/General.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/General.cs similarity index 96% rename from src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/General.cs rename to src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/General.cs index 0b0ee96b..a0deba77 100644 --- a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/General.cs +++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/General.cs @@ -1,140 +1,140 @@ -// This file is part of CycloneDX Library for .NET -// -// Licensed under the Apache License, Version 2.0 (the “License”); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an “AS IS” BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 -// Copyright (c) OWASP Foundation. All Rights Reserved. - -using System; -using System.Collections.Generic; -using System.Linq; -using System.Text.Json; -using CycloneDX.Models; - -namespace CycloneDX.Spdx.Interop.Helpers -{ - public static class General - { - private static JsonSerializerOptions _jsonOptions = new JsonSerializerOptions - { - WriteIndented = false, - }; - - public static string Base64Encode(this string plainText) { - var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText); - return System.Convert.ToBase64String(plainTextBytes); - } - - public static string Base64Decode(this string base64EncodedData) { - var base64EncodedBytes = System.Convert.FromBase64String(base64EncodedData); - return System.Text.Encoding.UTF8.GetString(base64EncodedBytes); - } - - public static void AddSpdxElement(this List properties, string propertyName, string spdxElement) - { - if (spdxElement != null) - { - properties.Add(new Property - { - Name = propertyName, - Value = spdxElement, - }); - } - } - - public static void AddSpdxElements(this List properties, string propertyName, List spdxElements) - { - if (spdxElements != null) - { - foreach (var spdxElement in spdxElements) - { - properties.AddSpdxElement(propertyName, spdxElement); - } - } - } - - public static void AddSpdxElement(this List properties, string propertyName, T spdxElement) - { - if (spdxElement != null) - { - properties.Add(new Property - { - Name = propertyName, - Value = JsonSerializer.Serialize(spdxElement, _jsonOptions), - }); - } - } - - public static void AddSpdxElements(this List properties, string propertyName, List spdxElements) - { - if (spdxElements != null) - { - foreach (var spdxElement in spdxElements) - { - properties.AddSpdxElement(propertyName, spdxElement); - } - } - } - - private static T GetSpdxElement(string value) - { - return JsonSerializer.Deserialize(value, _jsonOptions); - } - - public static string GetSpdxElement(this List properties, string propertyName) - { - var result = properties.GetSpdxElements(propertyName); - return result == null || result.Count == 0 ? null : result.First(); - } - - public static List GetSpdxElements(this List properties, string propertyName) - { - if (properties.Exists(p => p.Name == propertyName)) - { - var spdxElements = new List(); - foreach (var p in properties.Where(p => p.Name == propertyName)) - { - spdxElements.Add(p.Value); - } - return spdxElements.Count > 0 ? spdxElements : null; - } - else - { - return null; - } - } - - public static T GetSpdxElement(this List properties, string propertyName) - { - var result = properties.GetSpdxElements(propertyName); - return result == null || result.Count == 0 ? default(T) : result.First(); - } - - public static List GetSpdxElements(this List properties, string propertyName) - { - if (properties.Exists(p => p.Name == propertyName)) - { - var spdxElements = new List(); - foreach (var p in properties.Where(p => p.Name == propertyName)) - { - spdxElements.Add(GetSpdxElement(p.Value)); - } - return spdxElements.Count > 0 ? spdxElements : null; - } - else - { - return null; - } - } - } -} +// This file is part of CycloneDX Library for .NET +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text.Json; +using CycloneDX.Models; + +namespace CycloneDX.Spdx.Interop.Helpers +{ + public static class General + { + private static JsonSerializerOptions _jsonOptions = new JsonSerializerOptions + { + WriteIndented = false, + }; + + public static string Base64Encode(this string plainText) { + var plainTextBytes = System.Text.Encoding.UTF8.GetBytes(plainText); + return System.Convert.ToBase64String(plainTextBytes); + } + + public static string Base64Decode(this string base64EncodedData) { + var base64EncodedBytes = System.Convert.FromBase64String(base64EncodedData); + return System.Text.Encoding.UTF8.GetString(base64EncodedBytes); + } + + public static void AddSpdxElement(this List properties, string propertyName, string spdxElement) + { + if (spdxElement != null) + { + properties.Add(new Property + { + Name = propertyName, + Value = spdxElement, + }); + } + } + + public static void AddSpdxElements(this List properties, string propertyName, List spdxElements) + { + if (spdxElements != null) + { + foreach (var spdxElement in spdxElements) + { + properties.AddSpdxElement(propertyName, spdxElement); + } + } + } + + public static void AddSpdxElement(this List properties, string propertyName, T spdxElement) + { + if (!EqualityComparer.Default.Equals(spdxElement, default(T))) + { + properties.Add(new Property + { + Name = propertyName, + Value = JsonSerializer.Serialize(spdxElement, _jsonOptions), + }); + } + } + + public static void AddSpdxElements(this List properties, string propertyName, List spdxElements) + { + if (spdxElements != null) + { + foreach (var spdxElement in spdxElements) + { + properties.AddSpdxElement(propertyName, spdxElement); + } + } + } + + private static T GetSpdxElement(string value) + { + return JsonSerializer.Deserialize(value, _jsonOptions); + } + + public static string GetSpdxElement(this List properties, string propertyName) + { + var result = properties.GetSpdxElements(propertyName); + return result == null || result.Count == 0 ? null : result.First(); + } + + public static List GetSpdxElements(this List properties, string propertyName) + { + if (properties.Exists(p => p.Name == propertyName)) + { + var spdxElements = new List(); + foreach (var p in properties.Where(p => p.Name == propertyName)) + { + spdxElements.Add(p.Value); + } + return spdxElements.Count > 0 ? spdxElements : null; + } + else + { + return null; + } + } + + public static T GetSpdxElement(this List properties, string propertyName) + { + var result = properties.GetSpdxElements(propertyName); + return result == null || result.Count == 0 ? default(T) : result.First(); + } + + public static List GetSpdxElements(this List properties, string propertyName) + { + if (properties.Exists(p => p.Name == propertyName)) + { + var spdxElements = new List(); + foreach (var p in properties.Where(p => p.Name == propertyName)) + { + spdxElements.Add(GetSpdxElement(p.Value)); + } + return spdxElements.Count > 0 ? spdxElements : null; + } + else + { + return null; + } + } + } +} diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/SpdxDocumentHelpers.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/SpdxDocumentHelpers.cs similarity index 67% rename from src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/SpdxDocumentHelpers.cs rename to src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/SpdxDocumentHelpers.cs index 1acaed83..a88f51f8 100644 --- a/src/CycloneDX.Spdx.Interop/Converters/v2_2/Helpers/SpdxDocumentHelpers.cs +++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/SpdxDocumentHelpers.cs @@ -1,181 +1,235 @@ -// This file is part of CycloneDX Library for .NET -// -// Licensed under the Apache License, Version 2.0 (the “License”); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an “AS IS” BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 -// Copyright (c) OWASP Foundation. All Rights Reserved. - -using System; -using System.Collections.Generic; -using System.Linq; -using CycloneDX.Models; -using CycloneDX.Spdx.Models.v2_2; - -namespace CycloneDX.Spdx.Interop.Helpers -{ - public static class SpdxDocumentHelpers - { - public static bool IsSpdxPackageSupportedComponentType(Component component) - { - return component.Type == Component.Classification.Application - || component.Type == Component.Classification.Firmware - || component.Type == Component.Classification.Framework - || component.Type == Component.Classification.Library - || component.Type == Component.Classification.Operating_System - || component.Type == Component.Classification.Container; - } - - public static void AddCycloneDXComponents(this SpdxDocument doc, Bom bom) - { - if (bom.Components == null || bom.Components.Count == 0) { return; } - doc.Packages = doc.Packages ?? new List(); - foreach (var component in bom.Components.Where(c => IsSpdxPackageSupportedComponentType(c))) - { - var package = new Package - { - Name = component.Name, - VersionInfo = component.Version, - Description = component.Description, - CopyrightText = component.Copyright ?? "NOASSERTION", - }; - package.SPDXID = component.Properties?.GetSpdxElement(PropertyTaxonomy.SPDXID); - if (package.SPDXID == null) - { - if (component.BomRef == null) - { - package.SPDXID = "SPDXRef-Package-" + (doc.Packages.Count + 1).ToString(); - } - else - { - package.SPDXID = $"SPDXRef-{component.BomRef}"; - } - } - package.Annotations = component.Properties?.GetSpdxElements(PropertyTaxonomy.ANNOTATION); - package.FilesAnalyzed = component.Properties?.GetSpdxElement(PropertyTaxonomy.FILES_ANALYZED); - package.LicenseComments = component.Properties?.GetSpdxElement(PropertyTaxonomy.LICENSE_COMMENTS); - package.LicenseConcluded = component.Properties?.GetSpdxElement(PropertyTaxonomy.LICENSE_CONCLUDED) ?? "NOASSERTION"; - package.PackageFileName = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_FILENAME); - var packageVerificationCode = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_VERIFICATION_CODE_VALUE); - if (packageVerificationCode != null) - { - package.PackageVerificationCode = new PackageVerificationCode - { - PackageVerificationCodeValue = packageVerificationCode, - PackageVerificationCodeExcludedFiles = component.Properties?.GetSpdxElements(PropertyTaxonomy.PACKAGE_VERIFICATION_CODE_EXCLUDED_FILE), - }; - } - package.SourceInfo = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_SOURCE_INFO); - package.Summary = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_SUMMARY); - package.Comment = component.Properties?.GetSpdxElement(PropertyTaxonomy.COMMENT); - - // LicenseInfoFromFiles - if (component.Evidence?.Licenses != null && component.Evidence.Licenses.Count > 0) - { - if (package.LicenseInfoFromFiles == null) { package.LicenseInfoFromFiles = new List(); } - foreach (var license in component.Evidence.Licenses) - { - if (license.Expression != null) - { - // TODO revisit this after some sleep - // at first glance it doesn't look like expressions are handled in ExtractedLicensingInfo - } - else if (license.License != null) - { - if (license.License.Id != null) - { - package.LicenseInfoFromFiles.Add(license.License.Id); - } - else - { - if (doc.HasExtractedLicensingInfos == null) doc.HasExtractedLicensingInfos = new List(); - var extLicInfo = new ExtractedLicensingInfo - { - LicenseId = $"LicenseRef-{doc.HasExtractedLicensingInfos.Count + 1}", - Name = license.License.Name, - SeeAlsos = license.License.Url == null ? null : new List { license.License.Url }, - ExtractedText = license.License.Text?.Content?.Base64Decode(), - }; - doc.HasExtractedLicensingInfos.Add(extLicInfo); - package.LicenseInfoFromFiles.Add(extLicInfo.LicenseId); - } - } - } - } - if (package.LicenseInfoFromFiles == null || package.LicenseInfoFromFiles.Count == 0) - { - package.LicenseInfoFromFiles = new List { "NOASSERTION" }; - } - - // LicenseDeclared - package.LicenseDeclared = component.Properties?.GetSpdxElement(PropertyTaxonomy.LICENSE_DECLARED); - if (component.Licenses == null || component.Licenses.Count == 0) - { - package.LicenseDeclared = "NOASSERTION"; - } - else - { - if (component.Licenses.Count == 1) - { - package.LicenseDeclared = component.Licenses.First().Expression ?? component.Licenses.First().License.Id; - } - else - { - package.LicenseDeclared = "NOASSERTION"; - } - } - - // Package Originator - package.Originator = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR) ?? "NOASSERTION"; - #pragma warning disable 618 - if (component.Author != null) - { - if (component.Author == component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR_ORGANIZATION)) - { - package.Originator = $"Organization: {component.Author} ({component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR_EMAIL) ?? ""})"; - } - else - { - package.Originator = $"Person: {component.Author} ({component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR_EMAIL) ?? ""})"; - } - } - #pragma warning restore 618 - package.Supplier = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_SUPPLIER) ?? "NOASSERTION"; - if (component.Supplier != null) - { - var supplierEmails = component.Supplier.Contact.Where(c => c.Email != null).ToList(); - var supplierEmail = supplierEmails.Count > 0 ? supplierEmails.First().Email : ""; - if (component.Supplier.Name == component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_SUPPLIER_ORGANIZATION)) - { - package.Supplier = $"Organization: {component.Supplier.Name} ({supplierEmail})"; - } - else - { - package.Supplier = $"Person: {component.Supplier.Name} ({supplierEmail})"; - } - } - - package.AttributionTexts = component.GetSpdxAttributionTexts(); - - package.Checksums = component.GetSpdxChecksums(); - package.ExternalRefs = component.GetSpdxExternalRefs(); - - package.DownloadLocation = component.Properties?.GetSpdxElement(PropertyTaxonomy.DOWNLOAD_LOCATION) ?? "NOASSERTION"; - package.Homepage = component.Properties?.GetSpdxElement(PropertyTaxonomy.HOMEPAGE) ?? "NOASSERTION"; - - //TODO HasFile - - doc.Packages.Add(package); - } - } - } -} +// This file is part of CycloneDX Library for .NET +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + +using System; +using System.Collections.Generic; +using System.Linq; +using CycloneDX.Models; +using CycloneDX.Spdx.Models.v2_3; + +namespace CycloneDX.Spdx.Interop.Helpers +{ + public static class SpdxDocumentHelpers + { + public static bool IsSpdxPackageSupportedComponentType(Component component) + { + return component.Type == Component.Classification.Application + || component.Type == Component.Classification.Firmware + || component.Type == Component.Classification.Framework + || component.Type == Component.Classification.Library + || component.Type == Component.Classification.Operating_System + || component.Type == Component.Classification.Container; + } + + public static void AddCycloneDXComponents(this SpdxDocument doc, Bom bom) + { + if (bom.Components == null || bom.Components.Count == 0) { return; } + doc.Packages = doc.Packages ?? new List(); + foreach (var component in bom.Components.Where(c => IsSpdxPackageSupportedComponentType(c))) + { + var package = new Package + { + Name = component.Name, + VersionInfo = component.Version, + Description = component.Description, + }; + + var copyrightText = component.Copyright; + if (!String.IsNullOrEmpty(copyrightText) && copyrightText != "NOASSERTION") + { + package.CopyrightText = copyrightText; + } + + package.SPDXID = component.Properties?.GetSpdxElement(PropertyTaxonomy.SPDXID); + if (package.SPDXID == null) + { + if (component.BomRef == null) + { + package.SPDXID = "SPDXRef-Package-" + (doc.Packages.Count + 1).ToString(); + } + else + { + package.SPDXID = $"SPDXRef-{component.BomRef}"; + } + } + package.Annotations = component.Properties?.GetSpdxElements(PropertyTaxonomy.ANNOTATION); + package.FilesAnalyzed = component.Properties?.GetSpdxElement(PropertyTaxonomy.FILES_ANALYZED); + package.LicenseComments = component.Properties?.GetSpdxElement(PropertyTaxonomy.LICENSE_COMMENTS); + + package.PackageFileName = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_FILENAME); + + var licenseConcluded = component.Properties?.GetSpdxElement(PropertyTaxonomy.LICENSE_CONCLUDED); + if (!String.IsNullOrEmpty(licenseConcluded) && licenseConcluded != "NOASSERTION") + { + package.LicenseConcluded = licenseConcluded; + } + + var builtDate = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_BUILT_DATE); + if ( !String.IsNullOrEmpty(builtDate)) + { + package.BuiltDate = DateTime.Parse(builtDate.Trim('"')); + } + + var releaseDate = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_RELEASE_DATE); + if ( !String.IsNullOrEmpty(releaseDate)) + { + package.ReleaseDate = DateTime.Parse(releaseDate.Trim('"')); + } + + var validUntilDate = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_VALID_UNTIL_DATE); + if ( !String.IsNullOrEmpty(validUntilDate)) + { + package.ValidUntilDate = DateTime.Parse(validUntilDate.Trim('"')); + } + + var packageVerificationCode = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_VERIFICATION_CODE_VALUE); + if (packageVerificationCode != null) + { + package.PackageVerificationCode = new PackageVerificationCode + { + PackageVerificationCodeValue = packageVerificationCode, + PackageVerificationCodeExcludedFiles = component.Properties?.GetSpdxElements(PropertyTaxonomy.PACKAGE_VERIFICATION_CODE_EXCLUDED_FILE), + }; + } + package.SourceInfo = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_SOURCE_INFO); + package.Summary = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_SUMMARY); + package.Comment = component.Properties?.GetSpdxElement(PropertyTaxonomy.COMMENT); + + // LicenseInfoFromFiles + if (component.Evidence?.Licenses != null && component.Evidence.Licenses.Count > 0) + { + if (package.LicenseInfoFromFiles == null) { package.LicenseInfoFromFiles = new List(); } + foreach (var license in component.Evidence.Licenses) + { + if (license.Expression != null) + { + // TODO revisit this after some sleep + // at first glance it doesn't look like expressions are handled in ExtractedLicensingInfo + } + else if (license.License != null) + { + if (license.License.Id != null) + { + package.LicenseInfoFromFiles.Add(license.License.Id); + } + else + { + if (doc.HasExtractedLicensingInfos == null) { doc.HasExtractedLicensingInfos = new List(); } + var extLicInfo = new ExtractedLicensingInfo + { + LicenseId = $"LicenseRef-{doc.HasExtractedLicensingInfos.Count + 1}", + Name = license.License.Name, + SeeAlsos = license.License.Url == null ? null : new List { license.License.Url }, + ExtractedText = license.License.Text?.Content?.Base64Decode(), + }; + doc.HasExtractedLicensingInfos.Add(extLicInfo); + package.LicenseInfoFromFiles.Add(extLicInfo.LicenseId); + } + } + } + } + + // LicenseDeclared + var licenseDeclared = component.Properties?.GetSpdxElement(PropertyTaxonomy.LICENSE_DECLARED); + if (!String.IsNullOrEmpty(licenseDeclared) && licenseDeclared != "NOASSERTION") + { + package.LicenseDeclared = licenseDeclared; + } + if (component.Licenses != null && component.Licenses.Count == 1) + { + + package.LicenseDeclared = component.Licenses.First().Expression ?? component.Licenses.First().License.Id; + } + + + + // Package Originator + var packageOriginator = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR); + if (!String.IsNullOrEmpty(packageOriginator) && packageOriginator != "NOASSERTION") + { + package.Originator = packageOriginator; + } + #pragma warning disable 618 + if (component.Author != null) + { + if (component.Author == component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR_ORGANIZATION)) + { + package.Originator = $"Organization: {component.Author} ({component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR_EMAIL) ?? ""})"; + } + else + { + package.Originator = $"Person: {component.Author} ({component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_ORIGINATOR_EMAIL) ?? ""})"; + } + } + #pragma warning restore 618 + var packageSupplier = component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_SUPPLIER); + if (!String.IsNullOrEmpty(packageSupplier) && packageSupplier != "NOASSERTION") + { + package.Supplier = packageSupplier; + } + if (component.Supplier != null) + { + var supplierEmails = component.Supplier.Contact.Where(c => c.Email != null).ToList(); + var supplierEmail = supplierEmails.Count > 0 ? supplierEmails.First().Email : ""; + if (component.Supplier.Name == component.Properties?.GetSpdxElement(PropertyTaxonomy.PACKAGE_SUPPLIER_ORGANIZATION)) + { + package.Supplier = $"Organization: {component.Supplier.Name} ({supplierEmail})"; + } + else + { + package.Supplier = $"Person: {component.Supplier.Name} ({supplierEmail})"; + } + } + + package.AttributionTexts = component.GetSpdxAttributionTexts(); + + package.Checksums = component.GetSpdxChecksums(); + package.ExternalRefs = component.GetSpdxExternalRefs(); + + package.DownloadLocation = component.Properties?.GetSpdxElement(PropertyTaxonomy.DOWNLOAD_LOCATION) ?? "NOASSERTION"; + package.Homepage = component.Properties?.GetSpdxElement(PropertyTaxonomy.HOMEPAGE); + + //PrimaryPackagePurpose + switch (component.Type) + { + case Component.Classification.Application: + package.PrimaryPackagePurpose = PrimaryPackagePurposeType.APPLICATION; + break; + case Component.Classification.Firmware: + package.PrimaryPackagePurpose = PrimaryPackagePurposeType.FIRMWARE; + break; + case Component.Classification.Framework: + package.PrimaryPackagePurpose = PrimaryPackagePurposeType.FRAMEWORK; + break; + case Component.Classification.Operating_System: + package.PrimaryPackagePurpose = PrimaryPackagePurposeType.OPERATING_SYSTEM; + break; + case Component.Classification.Container: + package.PrimaryPackagePurpose = PrimaryPackagePurposeType.CONTAINER; + break; + default: + package.PrimaryPackagePurpose = PrimaryPackagePurposeType.LIBRARY; + break; + } + + //TODO HasFile + + doc.Packages.Add(package); + } + } + } +} diff --git a/src/CycloneDX.Spdx.Interop/Converters/v2_2/SpdxDocumentConverters.cs b/src/CycloneDX.Spdx.Interop/Converters/v2_3/SpdxDocumentConverters.cs similarity index 91% rename from src/CycloneDX.Spdx.Interop/Converters/v2_2/SpdxDocumentConverters.cs rename to src/CycloneDX.Spdx.Interop/Converters/v2_3/SpdxDocumentConverters.cs index 84c7b8d4..81f43d29 100644 --- a/src/CycloneDX.Spdx.Interop/Converters/v2_2/SpdxDocumentConverters.cs +++ b/src/CycloneDX.Spdx.Interop/Converters/v2_3/SpdxDocumentConverters.cs @@ -1,129 +1,129 @@ -// This file is part of CycloneDX Library for .NET -// -// Licensed under the Apache License, Version 2.0 (the “License”); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an “AS IS” BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// SPDX-License-Identifier: Apache-2.0 -// Copyright (c) OWASP Foundation. All Rights Reserved. - -using System; -using System.Collections.Generic; -using CycloneDX.Models; -using CycloneDX.Spdx.Models.v2_2; -using CycloneDX.Spdx.Interop.Helpers; - -namespace CycloneDX.Spdx.Interop -{ - public static class SpdxDocumentConverters - { - public static SpdxDocument ToSpdx(this Bom bom) - { - var doc = new SpdxDocument - { - CreationInfo = new CreationInfo(), - }; - - // document - doc.SPDXID = bom?.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.SPDXID) ?? "SPDXRef-DOCUMENT"; - doc.Comment = bom?.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.COMMENT); - - doc.Name = bom?.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.DOCUMENT_NAME); - if (doc.Name == null) - { - if (bom.Metadata?.Component?.Name != null) - { - doc.Name = bom.Metadata.Component.Name; - if (bom.Metadata.Component.Version != null) { doc.Name += $"-{bom.Metadata.Component.Version}"; } - if (bom.Metadata.Component.Group != null) { doc.Name = $"{bom.Metadata.Component.Group} {doc.Name}"; } - } - else - { - doc.Name = "CycloneDX BOM"; - } - } - - doc.DocumentNamespace = bom?.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.DOCUMENT_NAMESPACE); - if (doc.DocumentNamespace == null) - { - string docId; - if (string.IsNullOrEmpty(bom.SerialNumber)) - { - docId = Guid.NewGuid().ToString(); - } - else if (bom.SerialNumber.StartsWith("urn:uuid:", StringComparison.InvariantCulture)) - { - docId = bom.SerialNumber.Remove(0, 9); - } - else - { - docId = bom.SerialNumber; - } - doc.DocumentNamespace = $"http://spdx.org/spdxdocs/{doc.Name}-{docId}"; - } - - // creation info - doc.CreationInfo.Comment = bom.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.CREATION_INFO_COMMENT) ?? "This SPDX document has been converted from CycloneDX format."; - doc.CreationInfo.Created = bom.Metadata?.Timestamp != null ? bom.Metadata.Timestamp.Value : DateTime.UtcNow; - doc.CreationInfo.Creators = bom.GetSpdxCreators(); - doc.CreationInfo.LicenseListVersion = bom.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.CREATION_INFO_LICENSE_LIST_VERSION); - - doc.ExternalDocumentRefs = bom.Metadata?.Properties?.GetSpdxElements(PropertyTaxonomy.DOCUMENT_EXTERNAL_DOCUMENT_REF); - doc.Annotations = bom.Metadata?.Properties?.GetSpdxElements(PropertyTaxonomy.ANNOTATION); - doc.DocumentDescribes = bom.Metadata?.Properties?.GetSpdxElements(PropertyTaxonomy.DOCUMENT_DESCRIBES); - - doc.AddCycloneDXComponents(bom); - doc.Files = bom.GetSpdxFiles(); - //TODO HasExtractedLicensingInfos - //TODO relationships, assemblies, dependency graph, etc - - return doc; - } - - public static Bom ToCycloneDX(this SpdxDocument doc) - { - var bom = new Bom - { - Metadata = new Metadata - { - Properties = new List(), - } - }; - - // document - bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.SPDXID, doc.SPDXID); - bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.DOCUMENT_SPDX_VERSION, doc.SpdxVersion); - bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.COMMENT, doc.Comment); - bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.DOCUMENT_NAME, doc.Name); - bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.DOCUMENT_NAMESPACE, doc.DocumentNamespace); - - // creation info - if (doc.CreationInfo != null) - { - bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.CREATION_INFO_COMMENT, doc.CreationInfo.Comment); - bom.Metadata.Timestamp = doc.CreationInfo.Created; - bom.AddSpdxCreators(doc.CreationInfo.Creators); - bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.CREATION_INFO_LICENSE_LIST_VERSION, doc.CreationInfo.LicenseListVersion); - } - - bom.Metadata.Properties.AddSpdxElements(PropertyTaxonomy.DOCUMENT_EXTERNAL_DOCUMENT_REF, doc.ExternalDocumentRefs); - bom.Metadata.Properties.AddSpdxElements(PropertyTaxonomy.ANNOTATION, doc.Annotations); - bom.Metadata.Properties.AddSpdxElements(PropertyTaxonomy.DOCUMENT_DESCRIBES, doc.DocumentDescribes); - - bom.AddSpdxPackages(doc); - bom.AddSpdxFiles(doc.Files); - - return bom; - } - - - } -} +// This file is part of CycloneDX Library for .NET +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + +using System; +using System.Collections.Generic; +using CycloneDX.Models; +using CycloneDX.Spdx.Models.v2_3; +using CycloneDX.Spdx.Interop.Helpers; + +namespace CycloneDX.Spdx.Interop +{ + public static class SpdxDocumentConverters + { + public static SpdxDocument ToSpdx(this Bom bom) + { + var doc = new SpdxDocument + { + CreationInfo = new CreationInfo(), + }; + + // document + doc.SPDXID = bom?.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.SPDXID) ?? "SPDXRef-DOCUMENT"; + doc.Comment = bom?.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.COMMENT); + + doc.Name = bom?.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.DOCUMENT_NAME); + if (doc.Name == null) + { + if (bom.Metadata?.Component?.Name != null) + { + doc.Name = bom.Metadata.Component.Name; + if (bom.Metadata.Component.Version != null) { doc.Name += $"-{bom.Metadata.Component.Version}"; } + if (bom.Metadata.Component.Group != null) { doc.Name = $"{bom.Metadata.Component.Group} {doc.Name}"; } + } + else + { + doc.Name = "CycloneDX BOM"; + } + } + + doc.DocumentNamespace = bom?.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.DOCUMENT_NAMESPACE); + if (doc.DocumentNamespace == null) + { + string docId; + if (string.IsNullOrEmpty(bom.SerialNumber)) + { + docId = Guid.NewGuid().ToString(); + } + else if (bom.SerialNumber.StartsWith("urn:uuid:", StringComparison.InvariantCulture)) + { + docId = bom.SerialNumber.Remove(0, 9); + } + else + { + docId = bom.SerialNumber; + } + doc.DocumentNamespace = $"http://spdx.org/spdxdocs/{doc.Name}-{docId}"; + } + + // creation info + doc.CreationInfo.Comment = bom.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.CREATION_INFO_COMMENT) ?? "This SPDX document has been converted from CycloneDX format."; + doc.CreationInfo.Created = bom.Metadata?.Timestamp != null ? bom.Metadata.Timestamp.Value : DateTime.UtcNow; + doc.CreationInfo.Creators = bom.GetSpdxCreators(); + doc.CreationInfo.LicenseListVersion = bom.Metadata?.Properties?.GetSpdxElement(PropertyTaxonomy.CREATION_INFO_LICENSE_LIST_VERSION); + + doc.ExternalDocumentRefs = bom.Metadata?.Properties?.GetSpdxElements(PropertyTaxonomy.DOCUMENT_EXTERNAL_DOCUMENT_REF); + doc.Annotations = bom.Metadata?.Properties?.GetSpdxElements(PropertyTaxonomy.ANNOTATION); + doc.DocumentDescribes = bom.Metadata?.Properties?.GetSpdxElements(PropertyTaxonomy.DOCUMENT_DESCRIBES); + + doc.AddCycloneDXComponents(bom); + doc.Files = bom.GetSpdxFiles(); + //TODO HasExtractedLicensingInfos + //TODO relationships, assemblies, dependency graph, etc + + return doc; + } + + public static Bom ToCycloneDX(this SpdxDocument doc) + { + var bom = new Bom + { + Metadata = new Metadata + { + Properties = new List(), + } + }; + + // document + bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.SPDXID, doc.SPDXID); + bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.DOCUMENT_SPDX_VERSION, doc.SpdxVersion); + bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.COMMENT, doc.Comment); + bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.DOCUMENT_NAME, doc.Name); + bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.DOCUMENT_NAMESPACE, doc.DocumentNamespace); + + // creation info + if (doc.CreationInfo != null) + { + bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.CREATION_INFO_COMMENT, doc.CreationInfo.Comment); + bom.Metadata.Timestamp = doc.CreationInfo.Created; + bom.AddSpdxCreators(doc.CreationInfo.Creators); + bom.Metadata.Properties.AddSpdxElement(PropertyTaxonomy.CREATION_INFO_LICENSE_LIST_VERSION, doc.CreationInfo.LicenseListVersion); + } + + bom.Metadata.Properties.AddSpdxElements(PropertyTaxonomy.DOCUMENT_EXTERNAL_DOCUMENT_REF, doc.ExternalDocumentRefs); + bom.Metadata.Properties.AddSpdxElements(PropertyTaxonomy.ANNOTATION, doc.Annotations); + bom.Metadata.Properties.AddSpdxElements(PropertyTaxonomy.DOCUMENT_DESCRIBES, doc.DocumentDescribes); + + bom.AddSpdxPackages(doc); + bom.AddSpdxFiles(doc.Files); + + return bom; + } + + + } +} \ No newline at end of file diff --git a/src/CycloneDX.Spdx.Interop/PropertyTaxonomy.cs b/src/CycloneDX.Spdx.Interop/PropertyTaxonomy.cs index adbd3d2e..b35017dc 100644 --- a/src/CycloneDX.Spdx.Interop/PropertyTaxonomy.cs +++ b/src/CycloneDX.Spdx.Interop/PropertyTaxonomy.cs @@ -40,6 +40,9 @@ public static class PropertyTaxonomy public const string PACKAGE_VERIFICATION_CODE_EXCLUDED_FILE = "spdx:package:verification-code:excluded-file"; public const string PACKAGE_SOURCE_INFO = "spdx:package:source-info"; public const string PACKAGE_SUMMARY = "spdx:package:summary"; + public const string PACKAGE_BUILT_DATE = "spdx:package:built-date"; + public const string PACKAGE_RELEASE_DATE = "spdx:package:release-date"; + public const string PACKAGE_VALID_UNTIL_DATE = "spdx:package:valid-until-date"; public const string FILE_TYPE = "spdx:file:type"; public const string FILE_CONTRIBUTOR = "spdx:file:contributor"; public const string FILE_NOTICE_TEXT = "spdx:file:notice-text"; @@ -48,6 +51,7 @@ public static class PropertyTaxonomy public const string CHECKSUM_MD2 = "spdx:checksum:md2"; public const string CHECKSUM_MD4 = "spdx:checksum:md4"; public const string CHECKSUM_MD6 = "spdx:checksum:md6"; + public const string CHECKSUM_ADLER32 = "spdx:checksum:adler32"; public const string DOCUMENT_SPDX_VERSION = "spdx:document:spdx-version"; public const string DOCUMENT_DATA_LICENSE = "spdx:document:data-license"; public const string DOCUMENT_NAME = "spdx:document:name"; diff --git a/src/CycloneDX.Spdx/CycloneDX.Spdx.csproj b/src/CycloneDX.Spdx/CycloneDX.Spdx.csproj index 0139541e..a4d935dd 100644 --- a/src/CycloneDX.Spdx/CycloneDX.Spdx.csproj +++ b/src/CycloneDX.Spdx/CycloneDX.Spdx.csproj @@ -24,4 +24,9 @@ + + + + + diff --git a/src/CycloneDX.Spdx/CycloneDX.Spdx.csproj.user b/src/CycloneDX.Spdx/CycloneDX.Spdx.csproj.user new file mode 100644 index 00000000..e84b0325 --- /dev/null +++ b/src/CycloneDX.Spdx/CycloneDX.Spdx.csproj.user @@ -0,0 +1,9 @@ + + + + + + Designer + + + \ No newline at end of file diff --git a/src/CycloneDX.Spdx/Models/v2_2/Annotation.cs b/src/CycloneDX.Spdx/Models/v2_3/Annotation.cs similarity index 95% rename from src/CycloneDX.Spdx/Models/v2_2/Annotation.cs rename to src/CycloneDX.Spdx/Models/v2_3/Annotation.cs index 7d5da895..731c6774 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/Annotation.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/Annotation.cs @@ -16,9 +16,10 @@ // Copyright (c) OWASP Foundation. All Rights Reserved. using System; +using System.Text.Json.Serialization; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class Annotation { diff --git a/src/CycloneDX.Spdx/Models/v2_2/AnnotationType.cs b/src/CycloneDX.Spdx/Models/v2_3/AnnotationType.cs similarity index 95% rename from src/CycloneDX.Spdx/Models/v2_2/AnnotationType.cs rename to src/CycloneDX.Spdx/Models/v2_3/AnnotationType.cs index 6b84efb0..d1598244 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/AnnotationType.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/AnnotationType.cs @@ -17,7 +17,7 @@ using System; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public enum AnnotationType { diff --git a/src/CycloneDX.Spdx/Models/v2_2/Checksum.cs b/src/CycloneDX.Spdx/Models/v2_3/Checksum.cs similarity index 94% rename from src/CycloneDX.Spdx/Models/v2_2/Checksum.cs rename to src/CycloneDX.Spdx/Models/v2_3/Checksum.cs index c3c5c4b1..902133bc 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/Checksum.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/Checksum.cs @@ -16,9 +16,10 @@ // Copyright (c) OWASP Foundation. All Rights Reserved. using System; +using System.Text.Json.Serialization; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class Checksum { diff --git a/src/CycloneDX.Spdx/Models/v2_3/ChecksumAlgorithm.cs b/src/CycloneDX.Spdx/Models/v2_3/ChecksumAlgorithm.cs new file mode 100644 index 00000000..de3f2e79 --- /dev/null +++ b/src/CycloneDX.Spdx/Models/v2_3/ChecksumAlgorithm.cs @@ -0,0 +1,60 @@ +// This file is part of CycloneDX Library for .NET +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX_License_Identifier: Apache_2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + +using System; +using System.Xml.Serialization; + +namespace CycloneDX.Spdx.Models.v2_3 +{ + public enum ChecksumAlgorithm + { + [XmlEnum("SHA256")] + SHA256, + [XmlEnum("SHA1")] + SHA1, + [XmlEnum("SHA384")] + SHA384, + [XmlEnum("MD2")] + MD2, + [XmlEnum("MD4")] + MD4, + [XmlEnum("SHA512")] + SHA512, + [XmlEnum("MD6")] + MD6, + [XmlEnum("MD5")] + MD5, + [XmlEnum("SHA224")] + SHA224, + [XmlEnum("SHA3-256")] + SHA3_256, + [XmlEnum("SHA3-384")] + SHA3_384, + [XmlEnum("SHA3-512")] + SHA3_512, + [XmlEnum("BLAKE2b-256")] + BLAKE2b_256, + [XmlEnum("BLAKE2b-384")] + BLAKE2b_384, + [XmlEnum("BLAKE2b-512")] + BLAKE2b_512, + [XmlEnum("BLAKE3")] + BLAKE3, + [XmlEnum("ADLER32")] + ADLER32, + } +} diff --git a/src/CycloneDX.Spdx/Models/v2_2/CreationInfo.cs b/src/CycloneDX.Spdx/Models/v2_3/CreationInfo.cs similarity index 98% rename from src/CycloneDX.Spdx/Models/v2_2/CreationInfo.cs rename to src/CycloneDX.Spdx/Models/v2_3/CreationInfo.cs index 35c68ae4..a6104deb 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/CreationInfo.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/CreationInfo.cs @@ -19,7 +19,7 @@ using System.Collections.Generic; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class CreationInfo { diff --git a/src/CycloneDX.Spdx/Models/v2_2/CrossRef.cs b/src/CycloneDX.Spdx/Models/v2_3/CrossRef.cs similarity index 98% rename from src/CycloneDX.Spdx/Models/v2_2/CrossRef.cs rename to src/CycloneDX.Spdx/Models/v2_3/CrossRef.cs index 5e45c094..5144c8db 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/CrossRef.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/CrossRef.cs @@ -18,7 +18,7 @@ using System; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class CrossRef { diff --git a/src/CycloneDX.Spdx/Models/v2_2/ExternalDocumentRef.cs b/src/CycloneDX.Spdx/Models/v2_3/ExternalDocumentRef.cs similarity index 97% rename from src/CycloneDX.Spdx/Models/v2_2/ExternalDocumentRef.cs rename to src/CycloneDX.Spdx/Models/v2_3/ExternalDocumentRef.cs index 5d6c968d..7d2a49d0 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/ExternalDocumentRef.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/ExternalDocumentRef.cs @@ -18,7 +18,7 @@ using System; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class ExternalDocumentRef { diff --git a/src/CycloneDX.Spdx/Models/v2_2/ExternalRef.cs b/src/CycloneDX.Spdx/Models/v2_3/ExternalRef.cs similarity index 95% rename from src/CycloneDX.Spdx/Models/v2_2/ExternalRef.cs rename to src/CycloneDX.Spdx/Models/v2_3/ExternalRef.cs index cc116e1e..a8cccf03 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/ExternalRef.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/ExternalRef.cs @@ -16,9 +16,10 @@ // Copyright (c) OWASP Foundation. All Rights Reserved. using System; +using System.Text.Json.Serialization; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class ExternalRef { diff --git a/src/CycloneDX.Spdx/Models/v2_2/ExternalRefCategory.cs b/src/CycloneDX.Spdx/Models/v2_3/ExternalRefCategory.cs similarity index 80% rename from src/CycloneDX.Spdx/Models/v2_2/ExternalRefCategory.cs rename to src/CycloneDX.Spdx/Models/v2_3/ExternalRefCategory.cs index 819d0eaa..e559d596 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/ExternalRefCategory.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/ExternalRefCategory.cs @@ -16,13 +16,18 @@ // Copyright (c) OWASP Foundation. All Rights Reserved. using System; +using System.Runtime.Serialization; +using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public enum ExternalRefCategory { OTHER, SECURITY, + [XmlEnum("PACKAGE-MANAGER")] PACKAGE_MANAGER, + [XmlEnum("PERSISTENT-ID")] + PERSISTENT_ID, } } diff --git a/src/CycloneDX.Spdx/Models/v2_2/ExtractedLicensingInfo.cs b/src/CycloneDX.Spdx/Models/v2_3/ExtractedLicensingInfo.cs similarity index 98% rename from src/CycloneDX.Spdx/Models/v2_2/ExtractedLicensingInfo.cs rename to src/CycloneDX.Spdx/Models/v2_3/ExtractedLicensingInfo.cs index 678bd00c..904200b2 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/ExtractedLicensingInfo.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/ExtractedLicensingInfo.cs @@ -19,7 +19,7 @@ using System.Collections.Generic; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class ExtractedLicensingInfo { diff --git a/src/CycloneDX.Spdx/Models/v2_2/File.cs b/src/CycloneDX.Spdx/Models/v2_3/File.cs similarity index 99% rename from src/CycloneDX.Spdx/Models/v2_2/File.cs rename to src/CycloneDX.Spdx/Models/v2_3/File.cs index 1659b574..32c7f378 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/File.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/File.cs @@ -20,7 +20,7 @@ using System.Text.Json.Serialization; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class File { diff --git a/src/CycloneDX.Spdx/Models/v2_2/FileType.cs b/src/CycloneDX.Spdx/Models/v2_3/FileType.cs similarity index 96% rename from src/CycloneDX.Spdx/Models/v2_2/FileType.cs rename to src/CycloneDX.Spdx/Models/v2_3/FileType.cs index b0d024a0..c6eaf3c9 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/FileType.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/FileType.cs @@ -17,7 +17,7 @@ using System; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public enum FileType { diff --git a/src/CycloneDX.Spdx/Models/v2_2/Package.cs b/src/CycloneDX.Spdx/Models/v2_3/Package.cs similarity index 84% rename from src/CycloneDX.Spdx/Models/v2_2/Package.cs rename to src/CycloneDX.Spdx/Models/v2_3/Package.cs index 8939e171..33cd552f 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/Package.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/Package.cs @@ -17,10 +17,11 @@ using System; using System.Collections.Generic; +using System.Runtime.InteropServices; using System.Text.Json.Serialization; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class Package { @@ -42,11 +43,21 @@ public class Package [XmlElement("attributionTexts")] public List AttributionTexts { get; set; } + /// + /// Provides a place for recording the actual date the package was built. + /// + [XmlElement("builtDate")] + [JsonConverter(typeof(UtcDateTimeConverter))] + public DateTime? BuiltDate { get; set; } + /// /// The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed. /// [XmlElement("checksums")] public List Checksums { get; set; } + + [XmlElement("comment")] + public string Comment { get; set; } /// /// The text of copyright declarations recited in the Package or File. @@ -77,13 +88,7 @@ public class Package /// [XmlElement("filesAnalyzed")] public bool? FilesAnalyzed { get; set; } - - /// - /// Indicates that a particular file belongs to a package. - /// - [XmlElement("hasFiles")] - public List HasFiles { get; set; } - + [XmlElement("homepage")] public string Homepage { get; set; } @@ -135,6 +140,25 @@ public class Package [XmlElement("packageVerificationCode")] public PackageVerificationCode PackageVerificationCode { get; set; } + /// + /// Provides information about the primary purpose of the identified package. + /// + [XmlElement("primaryPackagePurpose")] + public PrimaryPackagePurposeType? PrimaryPackagePurpose { get; set; } + + /// + /// Indicates that a particular file belongs to a package. + /// + [XmlElement("hasFiles")] + public List HasFiles { get; set; } + + /// + /// Provides a place for recording the date the package was released. + /// + [XmlElement("releaseDate")] + [JsonConverter(typeof(UtcDateTimeConverter))] + public DateTime? ReleaseDate { get; set; } + /// /// Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source. /// @@ -153,13 +177,24 @@ public class Package [XmlElement("supplier")] public string Supplier { get; set; } - [XmlElement("comment")] - public string Comment { get; set; } + /// + /// Provides a place for recording the end of the support period for a package from the supplier. + /// + [XmlElement("validUntilDate")] + [JsonConverter(typeof(UtcDateTimeConverter))] + public DateTime? ValidUntilDate { get; set; } /// /// Provides an indication of the version of the package that is described by this SpdxDocument. /// [XmlElement("versionInfo")] public string VersionInfo { get; set; } + + + public bool ShouldSerializeBuiltDate() => BuiltDate.HasValue; + public bool ShouldSerializePrimaryPackagePurpose() => PrimaryPackagePurpose.HasValue; + public bool ShouldSerializeReleaseDate() => ReleaseDate.HasValue; + public bool ShouldSerializeValidUntilDate() => ValidUntilDate.HasValue; + } } diff --git a/src/CycloneDX.Spdx/Models/v2_2/PackageVerificationCode.cs b/src/CycloneDX.Spdx/Models/v2_3/PackageVerificationCode.cs similarity index 97% rename from src/CycloneDX.Spdx/Models/v2_2/PackageVerificationCode.cs rename to src/CycloneDX.Spdx/Models/v2_3/PackageVerificationCode.cs index 2392d28f..9ab2401d 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/PackageVerificationCode.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/PackageVerificationCode.cs @@ -19,7 +19,7 @@ using System.Collections.Generic; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class PackageVerificationCode { diff --git a/src/CycloneDX.Spdx/Models/v2_2/ChecksumAlgorithm.cs b/src/CycloneDX.Spdx/Models/v2_3/PrimaryPackagePurposeType.cs similarity index 63% rename from src/CycloneDX.Spdx/Models/v2_2/ChecksumAlgorithm.cs rename to src/CycloneDX.Spdx/Models/v2_3/PrimaryPackagePurposeType.cs index c5d2c015..8e014a5f 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/ChecksumAlgorithm.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/PrimaryPackagePurposeType.cs @@ -1,4 +1,4 @@ -// This file is part of CycloneDX Library for .NET +// This file is part of CycloneDX Library for .NET // // Licensed under the Apache License, Version 2.0 (the “License”); // you may not use this file except in compliance with the License. @@ -15,20 +15,23 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright (c) OWASP Foundation. All Rights Reserved. -using System; +using System.Runtime.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { - public enum ChecksumAlgorithm + public enum PrimaryPackagePurposeType { - SHA256, - SHA1, - SHA384, - MD2, - MD4, - SHA512, - MD6, - MD5, - SHA224, + APPLICATION, + FRAMEWORK, + LIBRARY, + CONTAINER, + OPERATING_SYSTEM, + DEVICE, + FIRMWARE, + SOURCE, + ARCHIVE, + FILE, + INSTALL, + OTHER } -} +} \ No newline at end of file diff --git a/src/CycloneDX.Spdx/Models/v2_2/Range.cs b/src/CycloneDX.Spdx/Models/v2_3/Range.cs similarity index 96% rename from src/CycloneDX.Spdx/Models/v2_2/Range.cs rename to src/CycloneDX.Spdx/Models/v2_3/Range.cs index c44ba965..a042c64c 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/Range.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/Range.cs @@ -18,7 +18,7 @@ using System; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class Range { diff --git a/src/CycloneDX.Spdx/Models/v2_2/RangePointer.cs b/src/CycloneDX.Spdx/Models/v2_3/RangePointer.cs similarity index 88% rename from src/CycloneDX.Spdx/Models/v2_2/RangePointer.cs rename to src/CycloneDX.Spdx/Models/v2_3/RangePointer.cs index 1ed20150..c2f1e16c 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/RangePointer.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/RangePointer.cs @@ -18,7 +18,7 @@ using System; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class RangePointer { @@ -39,5 +39,8 @@ public class RangePointer /// [XmlElement("reference")] public string Reference { get; set; } + + public bool ShouldSerializeOffset() => Offset.HasValue; + public bool ShouldSerializeLineNumber() => LineNumber.HasValue; } } diff --git a/src/CycloneDX.Spdx/Models/v2_2/Relationship.cs b/src/CycloneDX.Spdx/Models/v2_3/Relationship.cs similarity index 97% rename from src/CycloneDX.Spdx/Models/v2_2/Relationship.cs rename to src/CycloneDX.Spdx/Models/v2_3/Relationship.cs index 944c1b91..2772b51f 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/Relationship.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/Relationship.cs @@ -18,7 +18,7 @@ using System; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class Relationship { @@ -31,16 +31,18 @@ public class Relationship [XmlElement("comment")] public string Comment { get; set; } + /// + /// Describes the type of relationship between two SPDX elements. + /// + [XmlElement("relationshipType")] + + public RelationshipType RelationshipType { get; set; } /// /// SPDX ID for SpdxElement. A related SpdxElement. /// [XmlElement("relatedSpdxElement")] public string RelatedSpdxElement { get; set; } - /// - /// Describes the type of relationship between two SPDX elements. - /// - [XmlElement("relationshipType")] - public RelationshipType RelationshipType { get; set; } + } } diff --git a/src/CycloneDX.Spdx/Models/v2_2/RelationshipType.cs b/src/CycloneDX.Spdx/Models/v2_3/RelationshipType.cs similarity index 94% rename from src/CycloneDX.Spdx/Models/v2_2/RelationshipType.cs rename to src/CycloneDX.Spdx/Models/v2_3/RelationshipType.cs index fa02cebb..98765fbc 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/RelationshipType.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/RelationshipType.cs @@ -17,7 +17,7 @@ using System; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public enum RelationshipType { @@ -64,5 +64,7 @@ public enum RelationshipType EXPANDED_FROM_ARCHIVE, DEV_TOOL_OF, EXAMPLE_OF, + REQUIREMENT_DESCRIPTION_FOR, + SPECIFICATION_FOR } } diff --git a/src/CycloneDX.Spdx/Models/v2_2/ReviewInformation.cs b/src/CycloneDX.Spdx/Models/v2_3/ReviewInformation.cs similarity index 97% rename from src/CycloneDX.Spdx/Models/v2_2/ReviewInformation.cs rename to src/CycloneDX.Spdx/Models/v2_3/ReviewInformation.cs index 66a3da71..10e89d4d 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/ReviewInformation.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/ReviewInformation.cs @@ -18,7 +18,7 @@ using System; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class ReviewInformation { diff --git a/src/CycloneDX.Spdx/Models/v2_2/Snippet.cs b/src/CycloneDX.Spdx/Models/v2_3/Snippet.cs similarity index 97% rename from src/CycloneDX.Spdx/Models/v2_2/Snippet.cs rename to src/CycloneDX.Spdx/Models/v2_3/Snippet.cs index 29914bb5..3017cc27 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/Snippet.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/Snippet.cs @@ -20,7 +20,7 @@ using System.Text.Json.Serialization; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { public class Snippet { @@ -78,6 +78,7 @@ public class Snippet /// /// SPDX ID for File. File containing the SPDX element (e.g. the file contaning a snippet). /// + [XmlElement("snippetFromFile")] public string SnippetFromFile { get; set; } /// diff --git a/src/CycloneDX.Spdx/Models/v2_2/SpdxDocument.cs b/src/CycloneDX.Spdx/Models/v2_3/SpdxDocument.cs similarity index 98% rename from src/CycloneDX.Spdx/Models/v2_2/SpdxDocument.cs rename to src/CycloneDX.Spdx/Models/v2_3/SpdxDocument.cs index 324896a2..68761be7 100644 --- a/src/CycloneDX.Spdx/Models/v2_2/SpdxDocument.cs +++ b/src/CycloneDX.Spdx/Models/v2_3/SpdxDocument.cs @@ -21,7 +21,7 @@ using System.Text.Json.Serialization; using System.Xml.Serialization; -namespace CycloneDX.Spdx.Models.v2_2 +namespace CycloneDX.Spdx.Models.v2_3 { [XmlRoot("Document", IsNullable = false)] public class SpdxDocument @@ -37,7 +37,7 @@ public class SpdxDocument /// Provide a reference number that can be used to understand how to parse and interpret the rest of the file. It will enable both future changes to the specification and to support backward compatibility. The version number consists of a major and minor version indicator. The major field will be incremented when incompatible changes between versions are made (one or more sections are created, modified or deleted). The minor field will be incremented when backwards compatible changes are made. /// [XmlElement("spdxVersion")] - public string SpdxVersion { get; } = "SPDX-2.2"; + public string SpdxVersion { get; } = "SPDX-2.3"; /// /// One instance is required for each SPDX file produced. It provides the necessary information for forward and backward compatibility for processing tools. @@ -83,6 +83,12 @@ public class SpdxDocument /// [Obsolete("Revieweds is deprecated, use Annotation instead")] public List Revieweds { get; set; } + + /// + /// Packages, files and/or Snippets described by this SPDX document + /// + [XmlElement("documentDescribes")] + public List DocumentDescribes { get; set; } /// /// The URI provides an unambiguous mechanism for other SPDX documents to reference SPDX elements within this SPDX document. @@ -90,12 +96,6 @@ public class SpdxDocument [XmlElement("documentNamespace")] public string DocumentNamespace { get; set; } - /// - /// Packages, files and/or Snippets described by this SPDX document - /// - [XmlElement("documentDescribes")] - public List DocumentDescribes { get; set; } - /// /// Packages referenced in the SPDX document /// diff --git a/src/CycloneDX.Spdx/Models/v2_3/UtcDateTimeConverter.cs b/src/CycloneDX.Spdx/Models/v2_3/UtcDateTimeConverter.cs new file mode 100644 index 00000000..ee9aa061 --- /dev/null +++ b/src/CycloneDX.Spdx/Models/v2_3/UtcDateTimeConverter.cs @@ -0,0 +1,20 @@ +using System; +using System.Text.Json; +using System.Text.Json.Serialization; + +namespace CycloneDX.Spdx.Models.v2_3 +{ + public class UtcDateTimeConverter : JsonConverter + { + public override DateTime Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options) + { + return DateTime.Parse(reader.GetString()); + } + + public override void Write(Utf8JsonWriter writer, DateTime value, JsonSerializerOptions options) + { + // Convert to UTC and format as "yyyy-MM-ddTHH:mm:ssZ" + writer.WriteStringValue(value.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")); + } + } +} diff --git a/src/CycloneDX.Spdx/Schemas/spdx-2.2.schema.json b/src/CycloneDX.Spdx/Schemas/spdx-2.2.schema.json deleted file mode 100644 index 590e42c7..00000000 --- a/src/CycloneDX.Spdx/Schemas/spdx-2.2.schema.json +++ /dev/null @@ -1,722 +0,0 @@ -{ - "$schema" : "http://json-schema.org/draft-07/schema#", - "$id" : "http://spdx.org/rdf/terms", - "title" : "SPDX 2.2", - "type" : "object", - "properties" : { - "SPDXID" : { - "type" : "string", - "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." - }, - "annotations" : { - "description" : "Provide additional information about an SpdxElement.", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "annotationDate" : { - "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", - "type" : "string" - }, - "annotationType" : { - "description" : "Type of the annotation.", - "type" : "string", - "enum" : [ "OTHER", "REVIEW" ] - }, - "annotator" : { - "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", - "type" : "string" - }, - "comment" : { - "type" : "string" - } - }, - "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], - "additionalProperties" : false, - "description" : "An Annotation is a comment on an SpdxItem by an agent." - } - }, - "comment" : { - "type" : "string" - }, - "creationInfo" : { - "type" : "object", - "properties" : { - "comment" : { - "type" : "string" - }, - "created" : { - "description" : "Identify when the SPDX file was originally created. The date is to be specified according to combined date and time in UTC format as specified in ISO 8601 standard. This field is distinct from the fields in section 8, which involves the addition of information during a subsequent review.", - "type" : "string" - }, - "creators" : { - "description" : "Identify who (or what, in the case of a tool) created the SPDX file. If the SPDX file was created by an individual, indicate the person's name. If the SPDX file was created on behalf of a company or organization, indicate the entity name. If the SPDX file was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.", - "minItems" : 1, - "type" : "array", - "items" : { - "description" : "Identify who (or what, in the case of a tool) created the SPDX file. If the SPDX file was created by an individual, indicate the person's name. If the SPDX file was created on behalf of a company or organization, indicate the entity name. If the SPDX file was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as “anonymous” if appropriate.", - "type" : "string" - } - }, - "licenseListVersion" : { - "description" : "An optional field for creators of the SPDX file to provide the version of the SPDX License List used when the SPDX file was created.", - "type" : "string" - } - }, - "required" : [ "created", "creators" ], - "additionalProperties" : false, - "description" : "One instance is required for each SPDX file produced. It provides the necessary information for forward and backward compatibility for processing tools." - }, - "dataLicense" : { - "description" : "License expression for dataLicense. Compliance with the SPDX specification includes populating the SPDX fields therein with data related to such fields (\"SPDX-Metadata\"). The SPDX specification contains numerous fields where an SPDX document creator may provide relevant explanatory text in SPDX-Metadata. Without opining on the lawfulness of \"database rights\" (in jurisdictions where applicable), such explanatory text is copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you \"as-is\" and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.", - "type" : "string" - }, - "externalDocumentRefs" : { - "description" : "Identify any external SPDX documents referenced within this SPDX document.", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "checksum" : { - "type" : "object", - "properties" : { - "algorithm" : { - "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", - "type" : "string", - "enum" : [ "SHA256", "SHA1", "SHA384", "MD2", "MD4", "SHA512", "MD6", "MD5", "SHA224" ] - }, - "checksumValue" : { - "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", - "type" : "string" - } - }, - "required" : [ "algorithm", "checksumValue" ], - "additionalProperties" : false, - "description" : "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." - }, - "externalDocumentId" : { - "description" : "externalDocumentId is a string containing letters, numbers, ., - and/or + which uniquely identifies an external document within this document.", - "type" : "string" - }, - "spdxDocument" : { - "description" : "SPDX ID for SpdxDocument. A property containing an SPDX document.", - "type" : "string" - } - }, - "required" : [ "checksum", "externalDocumentId", "spdxDocument" ], - "additionalProperties" : false, - "description" : "Information about an external SPDX document reference including the checksum. This allows for verification of the external references." - } - }, - "hasExtractedLicensingInfos" : { - "description" : "Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument.", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "comment" : { - "type" : "string" - }, - "crossRefs" : { - "description" : "Cross Reference Detail for a license SeeAlso URL", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "isLive" : { - "description" : "Indicate a URL is still a live accessible location on the public internet", - "type" : "boolean" - }, - "isValid" : { - "description" : "True if the URL is a valid well formed URL", - "type" : "boolean" - }, - "isWayBackLink" : { - "description" : "True if the License SeeAlso URL points to a Wayback archive", - "type" : "boolean" - }, - "match" : { - "description" : "Status of a License List SeeAlso URL reference if it refers to a website that matches the license text.", - "type" : "string" - }, - "order" : { - "description" : "The ordinal order of this element within a list", - "type" : "integer" - }, - "timestamp" : { - "description" : "Timestamp", - "type" : "string" - }, - "url" : { - "description" : "URL Reference", - "type" : "string" - } - }, - "required" : [ "url" ], - "additionalProperties" : false, - "description" : "Cross reference details for the a URL reference" - } - }, - "extractedText" : { - "description" : "Verbatim license or licensing notice text that was discovered.", - "type" : "string" - }, - "licenseId" : { - "description" : "A human readable short form license identifier for a license. The license ID is either on the standard license list or the form \"LicenseRef-\"[idString] where [idString] is a unique string containing letters, numbers, \".\", \"-\" or \"+\".", - "type" : "string" - }, - "name" : { - "description" : "Identify name of this SpdxElement.", - "type" : "string" - }, - "seeAlsos" : { - "type" : "array", - "items" : { - "type" : "string" - } - } - }, - "required" : [ "extractedText", "licenseId" ], - "additionalProperties" : false, - "description" : "An ExtractedLicensingInfo represents a license or licensing notice that was found in a package, file or snippet. Any license text that is recognized as a license may be represented as a License rather than an ExtractedLicensingInfo." - } - }, - "name" : { - "description" : "Identify name of this SpdxElement.", - "type" : "string" - }, - "revieweds" : { - "description" : "Reviewed", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "comment" : { - "type" : "string" - }, - "reviewDate" : { - "description" : "The date and time at which the SpdxDocument was reviewed. This value must be in UTC and have 'Z' as its timezone indicator.", - "type" : "string" - }, - "reviewer" : { - "description" : "The name and, optionally, contact information of the person who performed the review. Values of this property must conform to the agent and tool syntax.", - "type" : "string" - } - }, - "required" : [ "reviewDate" ], - "additionalProperties" : false - } - }, - "spdxVersion" : { - "description" : "Provide a reference number that can be used to understand how to parse and interpret the rest of the file. It will enable both future changes to the specification and to support backward compatibility. The version number consists of a major and minor version indicator. The major field will be incremented when incompatible changes between versions are made (one or more sections are created, modified or deleted). The minor field will be incremented when backwards compatible changes are made.", - "type" : "string" - }, - "documentNamespace" : { - "type" : "string", - "description" : "The URI provides an unambiguous mechanism for other SPDX documents to reference SPDX elements within this SPDX document." - }, - "documentDescribes" : { - "description" : "Packages, files and/or Snippets described by this SPDX document", - "type" : "array", - "items" : { - "type" : "string", - "description" : "SPDX ID for each Package, File, or Snippet." - } - }, - "packages" : { - "description" : "Packages referenced in the SPDX document", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "SPDXID" : { - "type" : "string", - "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." - }, - "annotations" : { - "description" : "Provide additional information about an SpdxElement.", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "annotationDate" : { - "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", - "type" : "string" - }, - "annotationType" : { - "description" : "Type of the annotation.", - "type" : "string", - "enum" : [ "OTHER", "REVIEW" ] - }, - "annotator" : { - "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", - "type" : "string" - }, - "comment" : { - "type" : "string" - } - }, - "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], - "additionalProperties" : false, - "description" : "An Annotation is a comment on an SpdxItem by an agent." - } - }, - "attributionTexts" : { - "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", - "type" : "array", - "items" : { - "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", - "type" : "string" - } - }, - "checksums" : { - "description" : "The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "algorithm" : { - "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", - "type" : "string", - "enum" : [ "SHA256", "SHA1", "SHA384", "MD2", "MD4", "SHA512", "MD6", "MD5", "SHA224" ] - }, - "checksumValue" : { - "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", - "type" : "string" - } - }, - "required" : [ "algorithm", "checksumValue" ], - "additionalProperties" : false, - "description" : "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." - } - }, - "comment" : { - "type" : "string" - }, - "copyrightText" : { - "description" : "The text of copyright declarations recited in the Package or File.", - "type" : "string" - }, - "description" : { - "description" : "Provides a detailed description of the package.", - "type" : "string" - }, - "downloadLocation" : { - "description" : "The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are acceptable as values of this property. The values http://spdx.org/rdf/terms#none and http://spdx.org/rdf/terms#noassertion may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively.", - "type" : "string" - }, - "externalRefs" : { - "description" : "An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package.", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "comment" : { - "type" : "string" - }, - "referenceCategory" : { - "description" : "Category for the external reference", - "type" : "string", - "enum" : [ "OTHER", "PERSISTENT_ID", "SECURITY", "PACKAGE_MANAGER" ] - }, - "referenceLocator" : { - "description" : "The unique string with no spaces necessary to access the package-specific information, metadata, or content within the target location. The format of the locator is subject to constraints defined by the .", - "type" : "string" - }, - "referenceType" : { - "description" : "Type of the external reference. These are definined in an appendix in the SPDX specification.", - "type" : "string" - } - }, - "required" : [ "referenceCategory", "referenceLocator", "referenceType" ], - "additionalProperties" : false, - "description" : "An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package." - } - }, - "filesAnalyzed" : { - "description" : "Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If set to false, the package must not contain any files.", - "type" : "boolean" - }, - "hasFiles" : { - "description" : "Indicates that a particular file belongs to a package.", - "type" : "array", - "items" : { - "description" : "SPDX ID for File. Indicates that a particular file belongs to a package.", - "type" : "string" - } - }, - "homepage" : { - "type" : "string" - }, - "licenseComments" : { - "description" : "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", - "type" : "string" - }, - "licenseConcluded" : { - "description" : "License expression for licenseConcluded. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.", - "type" : "string" - }, - "licenseDeclared" : { - "description" : "License expression for licenseDeclared. The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist.", - "type" : "string" - }, - "licenseInfoFromFiles" : { - "description" : "The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.", - "type" : "array", - "items" : { - "description" : "License expression for licenseInfoFromFiles. The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.", - "type" : "string" - } - }, - "name" : { - "description" : "Identify name of this SpdxElement.", - "type" : "string" - }, - "originator" : { - "description" : "The name and, optionally, contact information of the person or organization that originally created the package. Values of this property must conform to the agent and tool syntax.", - "type" : "string" - }, - "packageFileName" : { - "description" : "The base name of the package file name. For example, zlib-1.2.5.tar.gz.", - "type" : "string" - }, - "packageVerificationCode" : { - "type" : "object", - "properties" : { - "packageVerificationCodeExcludedFiles" : { - "description" : "A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.", - "type" : "array", - "items" : { - "description" : "A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.", - "type" : "string" - } - }, - "packageVerificationCodeValue" : { - "description" : "The actual package verification code as a hex encoded value.", - "type" : "string" - } - }, - "required" : [ "packageVerificationCodeValue" ], - "additionalProperties" : false, - "description" : "A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the SPDX Item. This allows consumers of this data and/or database to determine if an SPDX item they have in hand is identical to the SPDX item from which the data was produced. This algorithm works even if the SPDX document is included in the SPDX item." - }, - "sourceInfo" : { - "description" : "Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.", - "type" : "string" - }, - "summary" : { - "description" : "Provides a short description of the package.", - "type" : "string" - }, - "supplier" : { - "description" : "The name and, optionally, contact information of the person or organization who was the immediate supplier of this package to the recipient. The supplier may be different than originator when the software has been repackaged. Values of this property must conform to the agent and tool syntax.", - "type" : "string" - }, - "versionInfo" : { - "description" : "Provides an indication of the version of the package that is described by this SpdxDocument.", - "type" : "string" - } - }, - "required" : [ "SPDXID", "copyrightText", "downloadLocation", "licenseConcluded", "licenseDeclared", "name" ], - "additionalProperties" : false - } - }, - "files" : { - "description" : "Files referenced in the SPDX document", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "SPDXID" : { - "type" : "string", - "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." - }, - "annotations" : { - "description" : "Provide additional information about an SpdxElement.", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "annotationDate" : { - "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", - "type" : "string" - }, - "annotationType" : { - "description" : "Type of the annotation.", - "type" : "string", - "enum" : [ "OTHER", "REVIEW" ] - }, - "annotator" : { - "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", - "type" : "string" - }, - "comment" : { - "type" : "string" - } - }, - "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], - "additionalProperties" : false, - "description" : "An Annotation is a comment on an SpdxItem by an agent." - } - }, - "artifactOfs" : { - "description" : "Indicates the project in which the SpdxElement originated. Tools must preserve doap:homepage and doap:name properties and the URI (if one is known) of doap:Project resources that are values of this property. All other properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats.", - "type" : "array", - "items" : { - "type" : "object" - } - }, - "attributionTexts" : { - "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", - "type" : "array", - "items" : { - "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", - "type" : "string" - } - }, - "checksums" : { - "description" : "The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.", - "minItems" : 1, - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "algorithm" : { - "description" : "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", - "type" : "string", - "enum" : [ "SHA256", "SHA1", "SHA384", "MD2", "MD4", "SHA512", "MD6", "MD5", "SHA224" ] - }, - "checksumValue" : { - "description" : "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", - "type" : "string" - } - }, - "required" : [ "algorithm", "checksumValue" ], - "additionalProperties" : false, - "description" : "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." - } - }, - "comment" : { - "type" : "string" - }, - "copyrightText" : { - "description" : "The text of copyright declarations recited in the Package or File.", - "type" : "string" - }, - "fileContributors" : { - "description" : "This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.", - "type" : "array", - "items" : { - "description" : "This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.", - "type" : "string" - } - }, - "fileDependencies" : { - "type" : "array", - "items" : { - "description" : "SPDX ID for File", - "type" : "string" - } - }, - "fileName" : { - "description" : "The name of the file relative to the root of the package.", - "type" : "string" - }, - "fileTypes" : { - "description" : "The type of the file.", - "type" : "array", - "items" : { - "description" : "The type of the file.", - "type" : "string", - "enum" : [ "OTHER", "DOCUMENTATION", "IMAGE", "VIDEO", "ARCHIVE", "SPDX", "APPLICATION", "SOURCE", "BINARY", "TEXT", "AUDIO" ] - } - }, - "licenseComments" : { - "description" : "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", - "type" : "string" - }, - "licenseConcluded" : { - "description" : "License expression for licenseConcluded. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.", - "type" : "string" - }, - "licenseInfoInFiles" : { - "description" : "Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.", - "minItems" : 1, - "type" : "array", - "items" : { - "description" : "License expression for licenseInfoInFile. Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.", - "type" : "string" - } - }, - "noticeText" : { - "description" : "This field provides a place for the SPDX file creator to record potential legal notices found in the file. This may or may not include copyright statements.", - "type" : "string" - } - }, - "required" : [ "SPDXID", "checksums", "copyrightText", "fileName", "licenseConcluded", "licenseInfoInFiles" ], - "additionalProperties" : false - } - }, - "snippets" : { - "description" : "Snippets referenced in the SPDX document", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "SPDXID" : { - "type" : "string", - "description" : "Uniquely identify any element in an SPDX document which may be referenced by other elements." - }, - "annotations" : { - "description" : "Provide additional information about an SpdxElement.", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "annotationDate" : { - "description" : "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", - "type" : "string" - }, - "annotationType" : { - "description" : "Type of the annotation.", - "type" : "string", - "enum" : [ "OTHER", "REVIEW" ] - }, - "annotator" : { - "description" : "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", - "type" : "string" - }, - "comment" : { - "type" : "string" - } - }, - "required" : [ "annotationDate", "annotationType", "annotator", "comment" ], - "additionalProperties" : false, - "description" : "An Annotation is a comment on an SpdxItem by an agent." - } - }, - "attributionTexts" : { - "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", - "type" : "array", - "items" : { - "description" : "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", - "type" : "string" - } - }, - "comment" : { - "type" : "string" - }, - "copyrightText" : { - "description" : "The text of copyright declarations recited in the Package or File.", - "type" : "string" - }, - "licenseComments" : { - "description" : "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", - "type" : "string" - }, - "licenseConcluded" : { - "description" : "License expression for licenseConcluded. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.", - "type" : "string" - }, - "licenseInfoInSnippets" : { - "description" : "Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.", - "type" : "array", - "items" : { - "description" : "License expression for licenseInfoInSnippet. Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.", - "type" : "string" - } - }, - "name" : { - "description" : "Identify name of this SpdxElement.", - "type" : "string" - }, - "ranges" : { - "description" : "This field defines the byte range in the original host file (in X.2) that the snippet information applies to", - "minItems" : 1, - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "endPointer" : { - "type" : "object", - "properties" : { - "reference" : { - "description" : "SPDX ID for File", - "type" : "string" - }, - "offset" : { - "type" : "integer", - "description" : "Byte offset in the file" - }, - "lineNumber" : { - "type" : "integer", - "description" : "line number offset in the file" - } - }, - "required" : [ "reference" ], - "additionalProperties" : false - }, - "startPointer" : { - "type" : "object", - "properties" : { - "reference" : { - "description" : "SPDX ID for File", - "type" : "string" - }, - "offset" : { - "type" : "integer", - "description" : "Byte offset in the file" - }, - "lineNumber" : { - "type" : "integer", - "description" : "line number offset in the file" - } - }, - "required" : [ "reference" ], - "additionalProperties" : false - } - }, - "required" : [ "endPointer", "startPointer" ], - "additionalProperties" : false - } - }, - "snippetFromFile" : { - "description" : "SPDX ID for File. File containing the SPDX element (e.g. the file contaning a snippet).", - "type" : "string" - } - }, - "required" : [ "SPDXID", "copyrightText", "licenseConcluded", "name", "ranges", "snippetFromFile" ], - "additionalProperties" : false - } - }, - "relationships" : { - "description" : "Relationships referenced in the SPDX document", - "type" : "array", - "items" : { - "type" : "object", - "properties" : { - "spdxElementId" : { - "type" : "string", - "description" : "Id to which the SPDX element is related" - }, - "comment" : { - "type" : "string" - }, - "relatedSpdxElement" : { - "description" : "SPDX ID for SpdxElement. A related SpdxElement.", - "type" : "string" - }, - "relationshipType" : { - "description" : "Describes the type of relationship between two SPDX elements.", - "type" : "string", - "enum" : [ "VARIANT_OF", "COPY_OF", "PATCH_FOR", "TEST_DEPENDENCY_OF", "CONTAINED_BY", "DATA_FILE_OF", "OPTIONAL_COMPONENT_OF", "ANCESTOR_OF", "GENERATES", "CONTAINS", "OPTIONAL_DEPENDENCY_OF", "FILE_ADDED", "DEV_DEPENDENCY_OF", "DEPENDENCY_OF", "BUILD_DEPENDENCY_OF", "DESCRIBES", "PREREQUISITE_FOR", "HAS_PREREQUISITE", "PROVIDED_DEPENDENCY_OF", "DYNAMIC_LINK", "DESCRIBED_BY", "METAFILE_OF", "DEPENDENCY_MANIFEST_OF", "PATCH_APPLIED", "RUNTIME_DEPENDENCY_OF", "TEST_OF", "TEST_TOOL_OF", "DEPENDS_ON", "FILE_MODIFIED", "DISTRIBUTION_ARTIFACT", "AMENDS", "DOCUMENTATION_OF", "GENERATED_FROM", "STATIC_LINK", "OTHER", "BUILD_TOOL_OF", "TEST_CASE_OF", "PACKAGE_OF", "DESCENDANT_OF", "FILE_DELETED", "EXPANDED_FROM_ARCHIVE", "DEV_TOOL_OF", "EXAMPLE_OF" ] - } - }, - "required" : [ "spdxElementId", "relatedSpdxElement", "relationshipType" ], - "additionalProperties" : false - } - } - }, - "required" : [ "SPDXID", "creationInfo", "dataLicense", "name", "spdxVersion" ], - "additionalProperties" : false -} \ No newline at end of file diff --git a/src/CycloneDX.Spdx/Schemas/spdx-2.2.schema.xsd b/src/CycloneDX.Spdx/Schemas/spdx-2.2.schema.xsd deleted file mode 100644 index c3aefbd2..00000000 --- a/src/CycloneDX.Spdx/Schemas/spdx-2.2.schema.xsd +++ /dev/null @@ -1,205 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/src/CycloneDX.Spdx/Schemas/spdx-2.3.schema.json b/src/CycloneDX.Spdx/Schemas/spdx-2.3.schema.json new file mode 100644 index 00000000..5c6e3962 --- /dev/null +++ b/src/CycloneDX.Spdx/Schemas/spdx-2.3.schema.json @@ -0,0 +1,740 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "$id": "http://spdx.org/rdf/terms", + "title": "SPDX 2.3", + "type": "object", + "properties": { + "SPDXID": { + "type": "string", + "description": "Uniquely identify any element in an SPDX document which may be referenced by other elements." + }, + "annotations": { + "description": "Provide additional information about an SpdxElement.", + "type": "array", + "items": { + "type": "object", + "properties": { + "annotationDate": { + "description": "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", + "type": "string" + }, + "annotationType": { + "description": "Type of the annotation.", + "type": "string", + "enum": [ "OTHER", "REVIEW" ] + }, + "annotator": { + "description": "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", + "type": "string" + }, + "comment": { + "type": "string" + } + }, + "required": [ "annotationDate", "annotationType", "annotator", "comment" ], + "additionalProperties": false, + "description": "An Annotation is a comment on an SpdxItem by an agent." + } + }, + "comment": { + "type": "string" + }, + "creationInfo": { + "type": "object", + "properties": { + "comment": { + "type": "string" + }, + "created": { + "description": "Identify when the SPDX file was originally created. The date is to be specified according to combined date and time in UTC format as specified in ISO 8601 standard. This field is distinct from the fields in section 8, which involves the addition of information during a subsequent review.", + "type": "string" + }, + "creators": { + "description": "Identify who (or what, in the case of a tool) created the SPDX file. If the SPDX file was created by an individual, indicate the person's name. If the SPDX file was created on behalf of a company or organization, indicate the entity name. If the SPDX file was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as �anonymous� if appropriate.", + "minItems": 1, + "type": "array", + "items": { + "description": "Identify who (or what, in the case of a tool) created the SPDX file. If the SPDX file was created by an individual, indicate the person's name. If the SPDX file was created on behalf of a company or organization, indicate the entity name. If the SPDX file was created using a software tool, indicate the name and version for that tool. If multiple participants or tools were involved, use multiple instances of this field. Person name or organization name may be designated as �anonymous� if appropriate.", + "type": "string" + } + }, + "licenseListVersion": { + "description": "An optional field for creators of the SPDX file to provide the version of the SPDX License List used when the SPDX file was created.", + "type": "string" + } + }, + "required": [ "created", "creators" ], + "additionalProperties": false, + "description": "One instance is required for each SPDX file produced. It provides the necessary information for forward and backward compatibility for processing tools." + }, + "dataLicense": { + "description": "License expression for dataLicense. Compliance with the SPDX specification includes populating the SPDX fields therein with data related to such fields (\"SPDX-Metadata\"). The SPDX specification contains numerous fields where an SPDX document creator may provide relevant explanatory text in SPDX-Metadata. Without opining on the lawfulness of \"database rights\" (in jurisdictions where applicable), such explanatory text is copyrightable subject matter in most Berne Convention countries. By using the SPDX specification, or any portion hereof, you hereby agree that any copyright rights (as determined by your jurisdiction) in any SPDX-Metadata, including without limitation explanatory text, shall be subject to the terms of the Creative Commons CC0 1.0 Universal license. For SPDX-Metadata not containing any copyright rights, you hereby agree and acknowledge that the SPDX-Metadata is provided to you \"as-is\" and without any representations or warranties of any kind concerning the SPDX-Metadata, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non-infringement, or the absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.", + "type": "string" + }, + "externalDocumentRefs": { + "description": "Identify any external SPDX documents referenced within this SPDX document.", + "type": "array", + "items": { + "type": "object", + "properties": { + "checksum": { + "type": "object", + "properties": { + "algorithm": { + "description": "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", + "type": "string", + "enum": [ "SHA256", "SHA1", "SHA384", "MD2", "MD4", "SHA512", "MD6", "MD5", "SHA224" ] + }, + "checksumValue": { + "description": "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", + "type": "string" + } + }, + "required": [ "algorithm", "checksumValue" ], + "additionalProperties": false, + "description": "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." + }, + "externalDocumentId": { + "description": "externalDocumentId is a string containing letters, numbers, ., - and/or + which uniquely identifies an external document within this document.", + "type": "string" + }, + "spdxDocument": { + "description": "SPDX ID for SpdxDocument. A property containing an SPDX document.", + "type": "string" + } + }, + "required": [ "checksum", "externalDocumentId", "spdxDocument" ], + "additionalProperties": false, + "description": "Information about an external SPDX document reference including the checksum. This allows for verification of the external references." + } + }, + "hasExtractedLicensingInfos": { + "description": "Indicates that a particular ExtractedLicensingInfo was defined in the subject SpdxDocument.", + "type": "array", + "items": { + "type": "object", + "properties": { + "comment": { + "type": "string" + }, + "crossRefs": { + "description": "Cross Reference Detail for a license SeeAlso URL", + "type": "array", + "items": { + "type": "object", + "properties": { + "isLive": { + "description": "Indicate a URL is still a live accessible location on the public internet", + "type": "boolean" + }, + "isValid": { + "description": "True if the URL is a valid well formed URL", + "type": "boolean" + }, + "isWayBackLink": { + "description": "True if the License SeeAlso URL points to a Wayback archive", + "type": "boolean" + }, + "match": { + "description": "Status of a License List SeeAlso URL reference if it refers to a website that matches the license text.", + "type": "string" + }, + "order": { + "description": "The ordinal order of this element within a list", + "type": "integer" + }, + "timestamp": { + "description": "Timestamp", + "type": "string" + }, + "url": { + "description": "URL Reference", + "type": "string" + } + }, + "required": [ "url" ], + "additionalProperties": false, + "description": "Cross reference details for the a URL reference" + } + }, + "extractedText": { + "description": "Verbatim license or licensing notice text that was discovered.", + "type": "string" + }, + "licenseId": { + "description": "A human readable short form license identifier for a license. The license ID is either on the standard license list or the form \"LicenseRef-\"[idString] where [idString] is a unique string containing letters, numbers, \".\", \"-\" or \"+\".", + "type": "string" + }, + "name": { + "description": "Identify name of this SpdxElement.", + "type": "string" + }, + "seeAlsos": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ "extractedText", "licenseId" ], + "additionalProperties": false, + "description": "An ExtractedLicensingInfo represents a license or licensing notice that was found in a package, file or snippet. Any license text that is recognized as a license may be represented as a License rather than an ExtractedLicensingInfo." + } + }, + "name": { + "description": "Identify name of this SpdxElement.", + "type": "string" + }, + "revieweds": { + "description": "Reviewed", + "type": "array", + "items": { + "type": "object", + "properties": { + "comment": { + "type": "string" + }, + "reviewDate": { + "description": "The date and time at which the SpdxDocument was reviewed. This value must be in UTC and have 'Z' as its timezone indicator.", + "type": "string" + }, + "reviewer": { + "description": "The name and, optionally, contact information of the person who performed the review. Values of this property must conform to the agent and tool syntax.", + "type": "string" + } + }, + "required": [ "reviewDate" ], + "additionalProperties": false + } + }, + "spdxVersion": { + "description": "Provide a reference number that can be used to understand how to parse and interpret the rest of the file. It will enable both future changes to the specification and to support backward compatibility. The version number consists of a major and minor version indicator. The major field will be incremented when incompatible changes between versions are made (one or more sections are created, modified or deleted). The minor field will be incremented when backwards compatible changes are made.", + "type": "string" + }, + "documentDescribes": { + "description": "Packages, files and/or Snippets described by this SPDX document", + "type": "array", + "items": { + "type": "string", + "description": "SPDX ID for each Package, File, or Snippet." + } + }, + "documentNamespace": { + "type": "string", + "description": "The URI provides an unambiguous mechanism for other SPDX documents to reference SPDX elements within this SPDX document." + }, + + "packages": { + "description": "Packages referenced in the SPDX document", + "type": "array", + "items": { + "type": "object", + "properties": { + "SPDXID": { + "type": "string", + "description": "Uniquely identify any element in an SPDX document which may be referenced by other elements." + }, + "annotations": { + "description": "Provide additional information about an SpdxElement.", + "type": "array", + "items": { + "type": "object", + "properties": { + "annotationDate": { + "description": "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", + "type": "string" + }, + "annotationType": { + "description": "Type of the annotation.", + "type": "string", + "enum": [ "OTHER", "REVIEW" ] + }, + "annotator": { + "description": "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", + "type": "string" + }, + "comment": { + "type": "string" + } + }, + "required": [ "annotationDate", "annotationType", "annotator", "comment" ], + "additionalProperties": false, + "description": "An Annotation is a comment on an SpdxItem by an agent." + } + }, + "attributionTexts": { + "description": "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type": "array", + "items": { + "description": "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type": "string" + } + }, + "builtDate": { + "description": "Provides a place for recording the actual date the package was built.", + "type": "string" + }, + "checksums": { + "description": "The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.", + "type": "array", + "items": { + "type": "object", + "properties": { + "algorithm": { + "description": "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", + "type": "string", + "enum": [ "SHA256", "SHA1", "SHA384", "MD2", "MD4", "SHA512", "MD6", "MD5", "SHA224", "SHA3_256", "SHA3_384,", "SHA3_512", "BLAKE2b_256", "BLAKE2b_384", "BLAKE2b_512", "BLAKE3", "ADLER32" ] + }, + "checksumValue": { + "description": "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", + "type": "string" + } + }, + "required": [ "algorithm", "checksumValue" ], + "additionalProperties": false, + "description": "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." + } + }, + "comment": { + "type": "string" + }, + "copyrightText": { + "description": "The text of copyright declarations recited in the Package or File.", + "type": "string" + }, + "description": { + "description": "Provides a detailed description of the package.", + "type": "string" + }, + "downloadLocation": { + "description": "The URI at which this package is available for download. Private (i.e., not publicly reachable) URIs are acceptable as values of this property. The values http://spdx.org/rdf/terms#none and http://spdx.org/rdf/terms#noassertion may be used to specify that the package is not downloadable or that no attempt was made to determine its download location, respectively.", + "type": "string" + }, + "externalRefs": { + "description": "An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package.", + "type": "array", + "items": { + "type": "object", + "properties": { + "comment": { + "type": "string" + }, + "referenceCategory": { + "description": "Category for the external reference", + "type": "string", + "enum": [ "OTHER", "PERSISTENT_ID", "SECURITY", "PACKAGE_MANAGER" ] + }, + "referenceLocator": { + "description": "The unique string with no spaces necessary to access the package-specific information, metadata, or content within the target location. The format of the locator is subject to constraints defined by the .", + "type": "string" + }, + "referenceType": { + "description": "Type of the external reference. These are definined in an appendix in the SPDX specification.", + "type": "string" + } + }, + "required": [ "referenceCategory", "referenceLocator", "referenceType" ], + "additionalProperties": false, + "description": "An External Reference allows a Package to reference an external source of additional information, metadata, enumerations, asset identifiers, or downloadable content believed to be relevant to the Package." + } + }, + "filesAnalyzed": { + "description": "Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If set to false, the package must not contain any files.", + "type": "boolean" + }, + "homepage": { + "type": "string" + }, + "licenseComments": { + "description": "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", + "type": "string" + }, + "licenseConcluded": { + "description": "License expression for licenseConcluded. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.", + "type": "string" + }, + "licenseDeclared": { + "description": "License expression for licenseDeclared. The licensing that the creators of the software in the package, or the packager, have declared. Declarations by the original software creator should be preferred, if they exist.", + "type": "string" + }, + "licenseInfoFromFiles": { + "description": "The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.", + "type": "array", + "items": { + "description": "License expression for licenseInfoFromFiles. The licensing information that was discovered directly within the package. There will be an instance of this property for each distinct value of alllicenseInfoInFile properties of all files contained in the package.", + "type": "string" + } + }, + "name": { + "description": "Identify name of this SpdxElement.", + "type": "string" + }, + "originator": { + "description": "The name and, optionally, contact information of the person or organization that originally created the package. Values of this property must conform to the agent and tool syntax.", + "type": "string" + }, + "packageFileName": { + "description": "The base name of the package file name. For example, zlib-1.2.5.tar.gz.", + "type": "string" + }, + "packageVerificationCode": { + "type": "object", + "properties": { + "packageVerificationCodeExcludedFiles": { + "description": "A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.", + "type": "array", + "items": { + "description": "A file that was excluded when calculating the package verification code. This is usually a file containing SPDX data regarding the package. If a package contains more than one SPDX file all SPDX files must be excluded from the package verification code. If this is not done it would be impossible to correctly calculate the verification codes in both files.", + "type": "string" + } + }, + "packageVerificationCodeValue": { + "description": "The actual package verification code as a hex encoded value.", + "type": "string" + } + }, + "required": [ "packageVerificationCodeValue" ], + "additionalProperties": false, + "description": "A manifest based verification code (the algorithm is defined in section 4.7 of the full specification) of the SPDX Item. This allows consumers of this data and/or database to determine if an SPDX item they have in hand is identical to the SPDX item from which the data was produced. This algorithm works even if the SPDX document is included in the SPDX item." + }, + "primaryPackagePurpose": { + "description": "Provides information about the primary purpose of the identified package.", + "type": "string", + "enum": [ "APPLICATION", "FRAMEWORK", "LIBRARY", "CONTAINER", "OPERATING_SYSTEM", "DEVICE", "FIRMWARE", "SOURCE", "ARCHIVE", "FILE", "INSTALL", "OTHER" ] + }, + "hasFiles": { + "description": "Indicates that a particular file belongs to a package.", + "type": "array", + "items": { + "description": "SPDX ID for File. Indicates that a particular file belongs to a package.", + "type": "string" + } + }, + "releaseDate": { + "description": "Provides a place for recording the date the package was released.", + "type": "string" + }, + "sourceInfo": { + "description": "Allows the producer(s) of the SPDX document to describe how the package was acquired and/or changed from the original source.", + "type": "string" + }, + "summary": { + "description": "Provides a short description of the package.", + "type": "string" + }, + "supplier": { + "description": "The name and, optionally, contact information of the person or organization who was the immediate supplier of this package to the recipient. The supplier may be different than originator when the software has been repackaged. Values of this property must conform to the agent and tool syntax.", + "type": "string" + }, + "validUntilDate": { + "description": "Provides a place for recording the end of the support period for a package from the supplier.", + "type": "string" + }, + "versionInfo": { + "description": "Provides an indication of the version of the package that is described by this SpdxDocument.", + "type": "string" + } + }, + "required": [ "SPDXID", "downloadLocation", "name" ], + "additionalProperties": false + } + }, + "files": { + "description": "Files referenced in the SPDX document", + "type": "array", + "items": { + "type": "object", + "properties": { + "SPDXID": { + "type": "string", + "description": "Uniquely identify any element in an SPDX document which may be referenced by other elements." + }, + "annotations": { + "description": "Provide additional information about an SpdxElement.", + "type": "array", + "items": { + "type": "object", + "properties": { + "annotationDate": { + "description": "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", + "type": "string" + }, + "annotationType": { + "description": "Type of the annotation.", + "type": "string", + "enum": [ "OTHER", "REVIEW" ] + }, + "annotator": { + "description": "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", + "type": "string" + }, + "comment": { + "type": "string" + } + }, + "required": [ "annotationDate", "annotationType", "annotator", "comment" ], + "additionalProperties": false, + "description": "An Annotation is a comment on an SpdxItem by an agent." + } + }, + "artifactOfs": { + "description": "Indicates the project in which the SpdxElement originated. Tools must preserve doap:homepage and doap:name properties and the URI (if one is known) of doap:Project resources that are values of this property. All other properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or from some SPDX formats.", + "type": "array", + "items": { + "type": "object" + } + }, + "attributionTexts": { + "description": "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type": "array", + "items": { + "description": "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type": "string" + } + }, + "checksums": { + "description": "The checksum property provides a mechanism that can be used to verify that the contents of a File or Package have not changed.", + "minItems": 1, + "type": "array", + "items": { + "type": "object", + "properties": { + "algorithm": { + "description": "Identifies the algorithm used to produce the subject Checksum. Currently, SHA-1 is the only supported algorithm. It is anticipated that other algorithms will be supported at a later time.", + "type": "string", + "enum": [ "SHA256", "SHA1", "SHA384", "MD2", "MD4", "SHA512", "MD6", "MD5", "SHA224", "SHA3_256", "SHA3_384,", "SHA3_512", "BLAKE2b_256", "BLAKE2b_384", "BLAKE2b_512", "BLAKE3", "ADLER32" ] + }, + "checksumValue": { + "description": "The checksumValue property provides a lower case hexidecimal encoded digest value produced using a specific algorithm.", + "type": "string" + } + }, + "required": [ "algorithm", "checksumValue" ], + "additionalProperties": false, + "description": "A Checksum is value that allows the contents of a file to be authenticated. Even small changes to the content of the file will change its checksum. This class allows the results of a variety of checksum and cryptographic message digest algorithms to be represented." + } + }, + "comment": { + "type": "string" + }, + "copyrightText": { + "description": "The text of copyright declarations recited in the Package or File.", + "type": "string" + }, + "fileContributors": { + "description": "This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.", + "type": "array", + "items": { + "description": "This field provides a place for the SPDX file creator to record file contributors. Contributors could include names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.", + "type": "string" + } + }, + "fileDependencies": { + "type": "array", + "items": { + "description": "SPDX ID for File", + "type": "string" + } + }, + "fileName": { + "description": "The name of the file relative to the root of the package.", + "type": "string" + }, + "fileTypes": { + "description": "The type of the file.", + "type": "array", + "items": { + "description": "The type of the file.", + "type": "string", + "enum": [ "OTHER", "DOCUMENTATION", "IMAGE", "VIDEO", "ARCHIVE", "SPDX", "APPLICATION", "SOURCE", "BINARY", "TEXT", "AUDIO" ] + } + }, + "licenseComments": { + "description": "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", + "type": "string" + }, + "licenseConcluded": { + "description": "License expression for licenseConcluded. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.", + "type": "string" + }, + "licenseInfoInFiles": { + "description": "Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.", + "minItems": 1, + "type": "array", + "items": { + "description": "License expression for licenseInfoInFile. Licensing information that was discovered directly in the subject file. This is also considered a declared license for the file.", + "type": "string" + } + }, + "noticeText": { + "description": "This field provides a place for the SPDX file creator to record potential legal notices found in the file. This may or may not include copyright statements.", + "type": "string" + } + }, + "required": [ "SPDXID", "checksums", "fileName" ], + "additionalProperties": false + } + }, + "snippets": { + "description": "Snippets referenced in the SPDX document", + "type": "array", + "items": { + "type": "object", + "properties": { + "SPDXID": { + "type": "string", + "description": "Uniquely identify any element in an SPDX document which may be referenced by other elements." + }, + "annotations": { + "description": "Provide additional information about an SpdxElement.", + "type": "array", + "items": { + "type": "object", + "properties": { + "annotationDate": { + "description": "Identify when the comment was made. This is to be specified according to the combined date and time in the UTC format, as specified in the ISO 8601 standard.", + "type": "string" + }, + "annotationType": { + "description": "Type of the annotation.", + "type": "string", + "enum": [ "OTHER", "REVIEW" ] + }, + "annotator": { + "description": "This field identifies the person, organization, or tool that has commented on a file, package, snippet, or the entire document.", + "type": "string" + }, + "comment": { + "type": "string" + } + }, + "required": [ "annotationDate", "annotationType", "annotator", "comment" ], + "additionalProperties": false, + "description": "An Annotation is a comment on an SpdxItem by an agent." + } + }, + "attributionTexts": { + "description": "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type": "array", + "items": { + "description": "This field provides a place for the SPDX data creator to record acknowledgements that may be required to be communicated in some contexts. This is not meant to include the actual complete license text (see licenseConculded and licenseDeclared), and may or may not include copyright notices (see also copyrightText). The SPDX data creator may use this field to record other acknowledgements, such as particular clauses from license texts, which may be necessary or desirable to reproduce.", + "type": "string" + } + }, + "comment": { + "type": "string" + }, + "copyrightText": { + "description": "The text of copyright declarations recited in the Package or File.", + "type": "string" + }, + "licenseComments": { + "description": "The licenseComments property allows the preparer of the SPDX document to describe why the licensing in spdx:licenseConcluded was chosen.", + "type": "string" + }, + "licenseConcluded": { + "description": "License expression for licenseConcluded. The licensing that the preparer of this SPDX document has concluded, based on the evidence, actually applies to the package.", + "type": "string" + }, + "licenseInfoInSnippets": { + "description": "Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.", + "type": "array", + "items": { + "description": "License expression for licenseInfoInSnippet. Licensing information that was discovered directly in the subject snippet. This is also considered a declared license for the snippet.", + "type": "string" + } + }, + "name": { + "description": "Identify name of this SpdxElement.", + "type": "string" + }, + "ranges": { + "description": "This field defines the byte range in the original host file (in X.2) that the snippet information applies to", + "minItems": 1, + "type": "array", + "items": { + "type": "object", + "properties": { + "endPointer": { + "type": "object", + "properties": { + "reference": { + "description": "SPDX ID for File", + "type": "string" + }, + "offset": { + "type": "integer", + "description": "Byte offset in the file" + }, + "lineNumber": { + "type": "integer", + "description": "line number offset in the file" + } + }, + "required": [ "reference" ], + "additionalProperties": false + }, + "startPointer": { + "type": "object", + "properties": { + "reference": { + "description": "SPDX ID for File", + "type": "string" + }, + "offset": { + "type": "integer", + "description": "Byte offset in the file" + }, + "lineNumber": { + "type": "integer", + "description": "line number offset in the file" + } + }, + "required": [ "reference" ], + "additionalProperties": false + } + }, + "required": [ "endPointer", "startPointer" ], + "additionalProperties": false + } + }, + "snippetFromFile": { + "description": "SPDX ID for File. File containing the SPDX element (e.g. the file contaning a snippet).", + "type": "string" + } + }, + "required": [ "SPDXID", "ranges", "snippetFromFile" ], + "additionalProperties": false + } + }, + "relationships": { + "description": "Relationships referenced in the SPDX document", + "type": "array", + "items": { + "type": "object", + "properties": { + "spdxElementId": { + "type": "string", + "description": "Id to which the SPDX element is related" + }, + "comment": { + "type": "string" + }, + "relationshipType": { + "description": "Describes the type of relationship between two SPDX elements.", + "type": "string", + "enum": [ "VARIANT_OF", "COPY_OF", "PATCH_FOR", "TEST_DEPENDENCY_OF", "CONTAINED_BY", "DATA_FILE_OF", "OPTIONAL_COMPONENT_OF", "ANCESTOR_OF", "GENERATES", "CONTAINS", "OPTIONAL_DEPENDENCY_OF", "FILE_ADDED", "DEV_DEPENDENCY_OF", "DEPENDENCY_OF", "BUILD_DEPENDENCY_OF", "DESCRIBES", "PREREQUISITE_FOR", "HAS_PREREQUISITE", "PROVIDED_DEPENDENCY_OF", "DYNAMIC_LINK", "DESCRIBED_BY", "METAFILE_OF", "DEPENDENCY_MANIFEST_OF", "PATCH_APPLIED", "RUNTIME_DEPENDENCY_OF", "TEST_OF", "TEST_TOOL_OF", "DEPENDS_ON", "FILE_MODIFIED", "DISTRIBUTION_ARTIFACT", "AMENDS", "DOCUMENTATION_OF", "GENERATED_FROM", "STATIC_LINK", "OTHER", "BUILD_TOOL_OF", "TEST_CASE_OF", "PACKAGE_OF", "DESCENDANT_OF", "FILE_DELETED", "EXPANDED_FROM_ARCHIVE", "DEV_TOOL_OF", "EXAMPLE_OF", "REQUIREMENT_DESCRIPTION_FOR", "SPECIFICATION_FOR" ] + }, + "relatedSpdxElement": { + "description": "SPDX ID for SpdxElement. A related SpdxElement.", + "type": "string" + } + }, + "required": [ "spdxElementId", "relatedSpdxElement", "relationshipType" ], + "additionalProperties": false + } + } + }, + "required": [ "SPDXID", "creationInfo", "dataLicense", "name", "spdxVersion" ], + "additionalProperties": false +} \ No newline at end of file diff --git a/src/CycloneDX.Spdx/Schemas/spdx-2.3.schema.xsd b/src/CycloneDX.Spdx/Schemas/spdx-2.3.schema.xsd new file mode 100644 index 00000000..3128825d --- /dev/null +++ b/src/CycloneDX.Spdx/Schemas/spdx-2.3.schema.xsd @@ -0,0 +1,210 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/CycloneDX.Spdx/Serialization/JsonSerializer.cs b/src/CycloneDX.Spdx/Serialization/JsonSerializer.cs index 09700064..998e2788 100644 --- a/src/CycloneDX.Spdx/Serialization/JsonSerializer.cs +++ b/src/CycloneDX.Spdx/Serialization/JsonSerializer.cs @@ -15,7 +15,6 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright (c) OWASP Foundation. All Rights Reserved. -using System; using System.Diagnostics.Contracts; using System.IO; using System.Text.Json; @@ -28,44 +27,46 @@ public static class JsonSerializer { // this is so we can "cache" the serialization options // instantiating a new instance each time tanks serialization performance - private static JsonSerializerOptions _options_v2_2; + private static JsonSerializerOptions _options_v2_3; - public static JsonSerializerOptions GetJsonSerializerOptions_v2_2() + public static JsonSerializerOptions GetJsonSerializerOptions_v2_3() { var options = new JsonSerializerOptions { WriteIndented = true, PropertyNamingPolicy = JsonNamingPolicy.CamelCase, DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull, + }; options.Converters.Add(new JsonStringEnumConverter()); return options; } - public static string Serialize(Models.v2_2.SpdxDocument document) + + public static string Serialize(Models.v2_3.SpdxDocument document) { - if (_options_v2_2 is null) { _options_v2_2 = GetJsonSerializerOptions_v2_2(); } - return System.Text.Json.JsonSerializer.Serialize(document, _options_v2_2); + if (_options_v2_3 is null) { _options_v2_3 = GetJsonSerializerOptions_v2_3(); } + return System.Text.Json.JsonSerializer.Serialize(document, _options_v2_3); } - public static async Task SerializeAsync(Models.v2_2.SpdxDocument document, Stream outputStream) + public static async Task SerializeAsync(Models.v2_3.SpdxDocument document, Stream outputStream) { Contract.Requires(document != null && outputStream != null); - if (_options_v2_2 is null) { _options_v2_2 = GetJsonSerializerOptions_v2_2(); } - await System.Text.Json.JsonSerializer.SerializeAsync(outputStream, document, _options_v2_2).ConfigureAwait(false); + if (_options_v2_3 is null) { _options_v2_3 = GetJsonSerializerOptions_v2_3(); } + await System.Text.Json.JsonSerializer.SerializeAsync(outputStream, document, _options_v2_3).ConfigureAwait(false); } - public static Models.v2_2.SpdxDocument Deserialize(string document) + public static Models.v2_3.SpdxDocument Deserialize(string document) { - if (_options_v2_2 is null) { _options_v2_2 = GetJsonSerializerOptions_v2_2(); } - return System.Text.Json.JsonSerializer.Deserialize(document, _options_v2_2); + if (_options_v2_3 is null) { _options_v2_3 = GetJsonSerializerOptions_v2_3(); } + return System.Text.Json.JsonSerializer.Deserialize(document, _options_v2_3); } - public static async Task DeserializeAsync(Stream jsonStream) + public static async Task DeserializeAsync(Stream jsonStream) { Contract.Requires(jsonStream != null); - if (_options_v2_2 is null) { _options_v2_2 = GetJsonSerializerOptions_v2_2(); } - var doc = await System.Text.Json.JsonSerializer.DeserializeAsync(jsonStream, _options_v2_2).ConfigureAwait(false); + if (_options_v2_3 is null) { _options_v2_3 = GetJsonSerializerOptions_v2_3(); } + var doc = await System.Text.Json.JsonSerializer.DeserializeAsync(jsonStream, _options_v2_3).ConfigureAwait(false); return doc; } } diff --git a/src/CycloneDX.Spdx/Serialization/XmlSerializer.cs b/src/CycloneDX.Spdx/Serialization/XmlSerializer.cs index 07012b63..4d0261ed 100644 --- a/src/CycloneDX.Spdx/Serialization/XmlSerializer.cs +++ b/src/CycloneDX.Spdx/Serialization/XmlSerializer.cs @@ -15,14 +15,9 @@ // SPDX-License-Identifier: Apache-2.0 // Copyright (c) OWASP Foundation. All Rights Reserved. -using System; using System.Diagnostics.Contracts; using System.IO; -using System.Net.Security; using System.Text; -using System.Text.Json; -using System.Text.Json.Serialization; -using System.Threading.Tasks; using System.Xml; namespace CycloneDX.Spdx.Serialization @@ -40,7 +35,7 @@ public static class XmlSerializer /// /// /// - public static string Serialize(Models.v2_2.SpdxDocument document) + public static string Serialize(Models.v2_3.SpdxDocument document) { Contract.Requires(document != null); @@ -56,11 +51,11 @@ public static string Serialize(Models.v2_2.SpdxDocument document) /// /// /// - public static void Serialize(Models.v2_2.SpdxDocument document, Stream outputStream) + public static void Serialize(Models.v2_3.SpdxDocument document, Stream outputStream) { Contract.Requires(document != null); - var serializer = new System.Xml.Serialization.XmlSerializer(typeof(Models.v2_2.SpdxDocument)); + var serializer = new System.Xml.Serialization.XmlSerializer(typeof(Models.v2_3.SpdxDocument)); using (var xmlWriter = XmlWriter.Create(outputStream, WriterSettings)) { @@ -73,7 +68,7 @@ public static void Serialize(Models.v2_2.SpdxDocument document, Stream outputStr /// /// /// - public static Models.v2_2.SpdxDocument Deserialize(string xmlString) + public static Models.v2_3.SpdxDocument Deserialize(string xmlString) { Contract.Requires(xmlString != null); using (var stream = new MemoryStream()) @@ -91,7 +86,7 @@ public static Models.v2_2.SpdxDocument Deserialize(string xmlString) /// /// /// - public static Models.v2_2.SpdxDocument Deserialize(Stream xmlStream) + public static Models.v2_3.SpdxDocument Deserialize(Stream xmlStream) { Contract.Requires(xmlStream != null); @@ -109,11 +104,11 @@ public static Models.v2_2.SpdxDocument Deserialize(Stream xmlStream) } } - private static Models.v2_2.SpdxDocument Deserialize(MemoryStream xmlStream) + private static Models.v2_3.SpdxDocument Deserialize(MemoryStream xmlStream) { - var serializer = new System.Xml.Serialization.XmlSerializer(typeof(Models.v2_2.SpdxDocument)); + var serializer = new System.Xml.Serialization.XmlSerializer(typeof(Models.v2_3.SpdxDocument)); - var document = (Models.v2_2.SpdxDocument)serializer.Deserialize(xmlStream); + var document = (Models.v2_3.SpdxDocument)serializer.Deserialize(xmlStream); return document; } diff --git a/src/CycloneDX.Spdx/Validation/JsonValidator.cs b/src/CycloneDX.Spdx/Validation/JsonValidator.cs index 46e37031..faf440d9 100644 --- a/src/CycloneDX.Spdx/Validation/JsonValidator.cs +++ b/src/CycloneDX.Spdx/Validation/JsonValidator.cs @@ -38,7 +38,7 @@ public static async Task ValidateAsync(Stream jsonStream) { var assembly = typeof(JsonValidator).GetTypeInfo().Assembly; - using (var schemaStream = assembly.GetManifestResourceStream($"CycloneDX.Spdx.Schemas.spdx-2.2.schema.json")) + using (var schemaStream = assembly.GetManifestResourceStream($"CycloneDX.Spdx.Schemas.spdx-2.3.schema.json")) { var jsonSchema = await JsonSchema.FromStream(schemaStream).ConfigureAwait(false); var jsonDocument = await JsonDocument.ParseAsync(jsonStream).ConfigureAwait(false); @@ -55,7 +55,7 @@ public static ValidationResult Validate(string jsonString) { var assembly = typeof(JsonValidator).GetTypeInfo().Assembly; - using (var schemaStream = assembly.GetManifestResourceStream($"CycloneDX.Spdx.Schemas.spdx-2.2.schema.json")) + using (var schemaStream = assembly.GetManifestResourceStream($"CycloneDX.Spdx.Schemas.spdx-2.3.schema.json")) using (var schemaStreamReader = new StreamReader(schemaStream)) { var jsonSchema = JsonSchema.FromText(schemaStreamReader.ReadToEnd()); diff --git a/src/CycloneDX.Spdx/Validation/XmlValidator.cs b/src/CycloneDX.Spdx/Validation/XmlValidator.cs index 992ba877..7d1f9a97 100644 --- a/src/CycloneDX.Spdx/Validation/XmlValidator.cs +++ b/src/CycloneDX.Spdx/Validation/XmlValidator.cs @@ -35,7 +35,7 @@ public static ValidationResult Validate(Stream xmlStream) var validationMessages = new List(); var assembly = typeof(XmlValidator).GetTypeInfo().Assembly; - using (var schemaStream = assembly.GetManifestResourceStream($"CycloneDX.Spdx.Schemas.spdx-2.2.schema.xsd")) + using (var schemaStream = assembly.GetManifestResourceStream($"CycloneDX.Spdx.Schemas.spdx-2.3.schema.xsd")) { var settings = new XmlReaderSettings(); diff --git a/tests/CycloneDX.Spdx.Interop.Tests/ConverterTests.cs b/tests/CycloneDX.Spdx.Interop.Tests/ConverterTests.cs index 5ce67e00..50ebd1dc 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/ConverterTests.cs +++ b/tests/CycloneDX.Spdx.Interop.Tests/ConverterTests.cs @@ -22,16 +22,18 @@ using Snapshooter.Xunit; using CycloneDX.Models; using CycloneDX.Spdx.Serialization; +using System.Reflection.Metadata; namespace CycloneDX.Spdx.Interop.Tests { public class ConverterTests { [Theory] - [InlineData("document")] - public void FromSpdxToCDXToSpdxRoundTripTest(string baseFilename) + [InlineData("v2.2")] + [InlineData("v2.3")] + public void FromSpdxToCDXToSpdxRoundTripTest(string version) { - var resourceFilename = Path.Join("Resources", "Spdx", "v2.2", baseFilename + ".json"); + var resourceFilename = Path.Join("Resources", "Spdx", version, "document" + ".json"); var fileContents = File.ReadAllText(resourceFilename); var spdxDocument = JsonSerializer.Deserialize(fileContents); @@ -39,21 +41,22 @@ public void FromSpdxToCDXToSpdxRoundTripTest(string baseFilename) var result = cdxBom.ToSpdx(); var resultString = JsonSerializer.Serialize(result); - Snapshot.Match(resultString, SnapshotNameExtension.Create(baseFilename)); + Snapshot.Match(resultString, SnapshotNameExtension.Create($"{version}document")); } [Theory] - [InlineData("document")] - public void FromSpdxToCDXTest(string baseFilename) + [InlineData("v2.2")] + [InlineData("v2.3")] + public void FromSpdxToCDXTest(string version) { - var resourceFilename = Path.Join("Resources", "Spdx", "v2.2", baseFilename + ".json"); + var resourceFilename = Path.Join("Resources", "Spdx",version, "document" + ".json"); var fileContents = File.ReadAllText(resourceFilename); var spdxDocument = JsonSerializer.Deserialize(fileContents); var cdxBom = spdxDocument.ToCycloneDX(); var resultString = CycloneDX.Json.Serializer.Serialize(cdxBom); - Snapshot.Match(resultString, SnapshotNameExtension.Create(baseFilename)); + Snapshot.Match(resultString, SnapshotNameExtension.Create($"{version}document")); } [Theory] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/CycloneDX.Spdx.Interop.Tests.csproj b/tests/CycloneDX.Spdx.Interop.Tests/CycloneDX.Spdx.Interop.Tests.csproj index 02c103d1..9afdec71 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/CycloneDX.Spdx.Interop.Tests.csproj +++ b/tests/CycloneDX.Spdx.Interop.Tests/CycloneDX.Spdx.Interop.Tests.csproj @@ -25,9 +25,290 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + + + + Always + + + diff --git a/tests/CycloneDX.Spdx.Interop.Tests/Resources/Spdx/v2.3/document.json b/tests/CycloneDX.Spdx.Interop.Tests/Resources/Spdx/v2.3/document.json new file mode 100644 index 00000000..9b381c23 --- /dev/null +++ b/tests/CycloneDX.Spdx.Interop.Tests/Resources/Spdx/v2.3/document.json @@ -0,0 +1,417 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "comment": "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.", + "created": "2010-01-29T18:30:22Z", + "creators": [ + "Tool: LicenseFind-1.0", + "Organization: ExampleCodeInspect ()", + "Person: Jane Doe ()" + ], + "licenseListVersion": "3.9" + }, + "name": "SPDX-Tools-v2.0", + "dataLicense": "CC0-1.0", + "comment": "This document was created using CycloneDX.Spdx 2.0 using licenses from the web site.", + "externalDocumentRefs": [ + { + "externalDocumentId": "DocumentRef-spdx-tool-1.2", + "checksum": { + "algorithm": "SHA1", + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759" + }, + "spdxDocument": "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301" + } + ], + "hasExtractedLicensingInfos": [ + { + "licenseId": "LicenseRef-1", + "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + }, + { + "licenseId": "LicenseRef-2", + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n� Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + }, + { + "licenseId": "LicenseRef-4", + "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + }, + { + "licenseId": "LicenseRef-Beerware-4.2", + "comment": "The beerware license has a couple of other standard variants.", + "extractedText": "\"THE BEER-WARE LICENSE\" (Revision 42):\nphk@FreeBSD.ORG wrote this file. As long as you retain this notice you\ncan do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp", + "name": "Beer-Ware License (Version 42)", + "seeAlsos": [ + "http://people.freebsd.org/~phk/" + ] + }, + { + "licenseId": "LicenseRef-3", + "comment": "This is tye CyperNeko License", + "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "name": "CyberNeko License", + "seeAlsos": [ + "http://people.apache.org/~andyc/neko/LICENSE", + "http://justasample.url.com" + ] + } + ], + "annotations": [ + { + "annotationDate": "2010-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: Jane Doe ()", + "comment": "Document level annotation" + }, + { + "annotationDate": "2010-02-10T00:00:00Z", + "annotationType": "REVIEW", + "annotator": "Person: Joe Reviewer", + "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses" + }, + { + "annotationDate": "2011-03-13T00:00:00Z", + "annotationType": "REVIEW", + "annotator": "Person: Suzanne Reviewer", + "comment": "Another example reviewer." + } + ], + "documentDescribes": [ + "SPDXRef-File", + "SPDXRef-Package" + ], + "documentNamespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "annotations": [ + { + "annotationDate": "2011-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: Package Commenter", + "comment": "Package level annotation" + } + ], + "attributionTexts": [ + "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." + ], + "builtDate": "2011-01-29T18:30:22Z", + "checksums": [ + { + "algorithm": "BLAKE2b_512", + "checksumValue": "624c1abb3664f4b35547e7c73864ad24" + }, + { + "algorithm": "ADLER32", + "checksumValue": "85ed0817af83a24ad8da68c2b5094de69833983c" + }, + { + "algorithm": "SHA256", + "checksumValue": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + } + ], + "copyrightText": "Copyright 2008-2010 John Smith", + "description": "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.", + "downloadLocation": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "comment": "This is the external ref for Acme", + "referenceCategory": "PERSISTENT_ID", + "referenceLocator": "acmecorp/acmenator/4.1.3-alpha", + "referenceType": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge" + } + ], + "filesAnalyzed": true, + "homepage": "http://ftp.gnu.org/gnu/glibc", + "licenseComments": "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.", + "licenseConcluded": "(LGPL-2.0-only OR LicenseRef-3)", + "licenseDeclared": "(LGPL-2.0-only AND LicenseRef-3)", + "licenseInfoFromFiles": [ + "GPL-2.0-only", + "LicenseRef-2", + "LicenseRef-1" + ], + "name": "glibc", + "originator": "Organization: ExampleCodeInspect (contact@example.com)", + "packageFileName": "glibc-2.11.1.tar.gz", + "packageVerificationCode": { + "packageVerificationCodeExcludedFiles": [ + "./package.spdx" + ], + "packageVerificationCodeValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + "hasFiles": [ + "SPDXRef-CommonsLangSrc", + "SPDXRef-JenaLib", + "SPDXRef-DoapSource" + ], + "primaryPackagePurpose": "FRAMEWORK", + "releaseDate": "2012-01-29T18:30:22Z", + "sourceInfo": "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.", + "summary": "GNU C library.", + "supplier": "Person: Jane Doe (jane.doe@example.com)", + "validUntilDate": "2014-01-29T18:30:22Z", + "versionInfo": "2.11.1" + }, + { + "SPDXID": "SPDXRef-fromDoap-1", + "copyrightText": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "homepage": "http://commons.apache.org/proper/commons-lang/", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "Apache Commons Lang" + }, + { + "SPDXID": "SPDXRef-fromDoap-0", + "copyrightText": "NOASSERTION", + "downloadLocation": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceLocator": "pkg:maven/org.apache.jena/apache-jena@3.12.0", + "referenceType": "purl" + } + ], + "filesAnalyzed": false, + "homepage": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "Jena", + "primaryPackagePurpose": "APPLICATION", + "versionInfo": "3.12.0" + }, + { + "SPDXID": "SPDXRef-Saxon", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "85ed0817af83a24ad8da68c2b5094de69833983c" + } + ], + "copyrightText": "Copyright Saxonica Ltd", + "description": "The Saxon package is a collection of tools for processing XML documents.", + "downloadLocation": "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download", + "filesAnalyzed": false, + "homepage": "http://saxon.sourceforge.net/", + "licenseComments": "Other versions available for a commercial license", + "licenseConcluded": "MPL-1.0", + "licenseDeclared": "MPL-1.0", + "name": "Saxon", + "packageFileName": "saxonB-8.8.zip", + "primaryPackagePurpose": "LIBRARY", + "versionInfo": "8.8" + } + ], + "files": [ + { + "SPDXID": "SPDXRef-DoapSource", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" + } + ], + "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", + "fileContributors": [ + "Protecode Inc.", + "SPDX Technical Team Members", + "Open Logic Inc.", + "Source Auditor Inc.", + "Black Duck Software In.c" + ], + "fileName": "./src/org/spdx/parser/DOAPProject.java", + "fileTypes": [ + "SOURCE" + ], + "licenseConcluded": "Apache-2.0", + "licenseInfoInFiles": [ + "Apache-2.0" + ] + }, + { + "SPDXID": "SPDXRef-CommonsLangSrc", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "c2b4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "This file is used by Jena", + "copyrightText": "Copyright 2001-2011 The Apache Software Foundation", + "fileContributors": [ + "Apache Software Foundation" + ], + "fileName": "./lib-source/commons-lang3-3.1-sources.jar", + "fileTypes": [ + "ARCHIVE" + ], + "licenseConcluded": "Apache-2.0", + "licenseInfoInFiles": [ + "Apache-2.0" + ], + "noticeText": "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())" + }, + { + "SPDXID": "SPDXRef-JenaLib", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "This file belongs to Jena", + "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "fileContributors": [ + "Apache Software Foundation", + "Hewlett Packard Inc." + ], + "fileName": "./lib-source/jena-2.6.3-sources.jar", + "fileTypes": [ + "ARCHIVE" + ], + "licenseComments": "This license is used by Jena", + "licenseConcluded": "LicenseRef-1", + "licenseInfoInFiles": [ + "LicenseRef-1" + ] + }, + { + "SPDXID": "SPDXRef-File", + "annotations": [ + { + "annotationDate": "2011-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: File Commenter", + "comment": "File level annotation" + } + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + { + "algorithm": "MD5", + "checksumValue": "624c1abb3664f4b35547e7c73864ad24" + } + ], + "comment": "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.", + "copyrightText": "Copyright 2008-2010 John Smith", + "fileContributors": [ + "The Regents of the University of California", + "Modified by Paul Mundt lethal@linux-sh.org", + "IBM Corporation" + ], + "fileName": "./package/foo.c", + "fileTypes": [ + "SOURCE" + ], + "licenseComments": "The concluded license was taken from the package level that the file was included in.", + "licenseConcluded": "(LGPL-2.0-only OR LicenseRef-2)", + "licenseInfoInFiles": [ + "GPL-2.0-only", + "LicenseRef-2" + ], + "noticeText": "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the �Software�), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED �AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + } + ], + "snippets": [ + { + "SPDXID": "SPDXRef-Snippet", + "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.", + "copyrightText": "Copyright 2008-2010 John Smith", + "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", + "licenseConcluded": "GPL-2.0-only", + "licenseInfoInSnippets": [ + "GPL-2.0-only" + ], + "name": "from linux kernel", + "ranges": [ + { + "endPointer": { + "offset": 420, + "reference": "SPDXRef-DoapSource" + }, + "startPointer": { + "offset": 310, + "reference": "SPDXRef-DoapSource" + } + }, + { + "endPointer": { + "lineNumber": 23, + "reference": "SPDXRef-DoapSource" + }, + "startPointer": { + "lineNumber": 5, + "reference": "SPDXRef-DoapSource" + } + } + ], + "snippetFromFile": "SPDXRef-DoapSource" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package" + + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "COPY_OF", + "relatedSpdxElement": "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement" + + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-File" + + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-Package" + + }, + { + "spdxElementId": "SPDXRef-Package", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-JenaLib" + + }, + { + "spdxElementId": "SPDXRef-Package", + "relationshipType": "DYNAMIC_LINK", + "relatedSpdxElement": "SPDXRef-Saxon" + + }, + { + "spdxElementId": "SPDXRef-CommonsLangSrc", + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "NOASSERTION" + + }, + { + "spdxElementId": "SPDXRef-JenaLib", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package" + + }, + { + "spdxElementId": "SPDXRef-File", + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "SPDXRef-fromDoap-0" + } + ] +} diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_assembly.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_assembly.snap index 73b81067..fac952e3 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_assembly.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_assembly.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,17 +11,9 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "acme-library-a", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_bom.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_bom.snap index 7b9051dd..b0d2a4ec 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_bom.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_bom.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2020-04-13T20:20:39Z", @@ -33,31 +33,18 @@ "checksumValue": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282" } ], - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", "licenseDeclared": "Apache-2.0", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "tomcat-catalina", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "9.0.14" }, { "SPDXID": "SPDXRef-Package-2", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "mylibrary", "originator": "Person: Example Super Heros ()", + "primaryPackagePurpose": "LIBRARY", "supplier": "Person: Example, Inc. (support@example.com)", "versionInfo": "1.0.0" } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-hashes.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-hashes.snap index 957d298c..43727b7b 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-hashes.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-hashes.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -31,19 +31,39 @@ { "algorithm": "SHA512", "checksumValue": "74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6" + }, + { + "algorithm": "SHA3_256", + "checksumValue": "7478c7cf41c883a04ee89f1813f687886d53fa86f791fff90690c6221e3853aa" + }, + { + "algorithm": "SHA3_384", + "checksumValue": "a1eea7229716487ad2ebe96b2f997a8408f32f14047994fbcc99b49012cf86c96dbd518e5d57a61b0e57dd37dd0b48f5" + }, + { + "algorithm": "SHA3_512", + "checksumValue": "7d584825bc1767dfabe7e82b45ccb7a1119b145fa17e76b885e71429c706cef0a3171bc6575b968eec5da56a7966c02fec5402fcee55097ac01d40c550de9d20" + }, + { + "algorithm": "BLAKE2b_256", + "checksumValue": "d8779633380c050bccf4e733b763ab2abd8ad2db60b517d47fd29bbf76433237" + }, + { + "algorithm": "BLAKE2b_384", + "checksumValue": "e728ba56c2da995a559a178116c594e8bee4894a79ceb4399d8f479e5563cb1942b85936f646d14170717c576b14db7a" + }, + { + "algorithm": "BLAKE2b_512", + "checksumValue": "f8ce8d612a6c85c96cf7cebc230f6ddef26e6cedcfbc4a41c766033cc08c6ba097d1470948226807fb2d88d2a2b6fc0ff5e5440e93a603086fdd568bafcd1a9d" + }, + { + "algorithm": "BLAKE3", + "checksumValue": "26cdc7fb3fd65fc3b621a4ef70bc7d2489d5c19e70c76cf7ec20e538df0047cf" } ], - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "acme-example", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-ref.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-ref.snap index 032a9fd9..fbd72ab6 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-ref.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-ref.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,32 +11,16 @@ "packages": [ { "SPDXID": "SPDXRef-123", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "acme-library", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" }, { "SPDXID": "SPDXRef-456", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "acme-library", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-swid-full.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-swid-full.snap index 98c2725b..a2a18a2e 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-swid-full.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-swid-full.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,17 +11,10 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "Acme Application", "originator": "Person: Acme Super Heros ()", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "APPLICATION", "versionInfo": "9.1.1" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-swid.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-swid.snap index 98c2725b..a2a18a2e 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-swid.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-swid.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,17 +11,10 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "Acme Application", "originator": "Person: Acme Super Heros ()", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "APPLICATION", "versionInfo": "9.1.1" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-types.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-types.snap index d39eee01..942aba9a 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-types.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_component-types.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,101 +11,51 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "application-a", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "APPLICATION", "versionInfo": "1.0" }, { "SPDXID": "SPDXRef-Package-2", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "library-a", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0" }, { "SPDXID": "SPDXRef-Package-3", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "framework-a", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "FRAMEWORK", "versionInfo": "1.0" }, { "SPDXID": "SPDXRef-Package-4", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "container-a", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "CONTAINER", "versionInfo": "1.0" }, { "SPDXID": "SPDXRef-Package-5", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "operating-system-a", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "OPERATING_SYSTEM", "versionInfo": "1.0" }, { "SPDXID": "SPDXRef-Package-6", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "firmware-a", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "FIRMWARE", "versionInfo": "1.0" } ], "files": [ { "SPDXID": "SPDXRef-File-1", - "copyrightText": "NOASSERTION", - "fileName": "file-a", - "licenseConcluded": "NOASSERTION" + "fileName": "file-a" } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_compositions.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_compositions.snap index e57d47e3..61c637fe 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_compositions.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_compositions.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,32 +11,16 @@ "packages": [ { "SPDXID": "SPDXRef-pkg:maven/partner/shaded-library@1.0", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "Partner Shaded Library", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0" }, { "SPDXID": "SPDXRef-Package-2", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "Acme Library", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "3.0" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_dependency.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_dependency.snap index 4c6b0846..e7591457 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_dependency.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_dependency.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,47 +11,23 @@ "packages": [ { "SPDXID": "SPDXRef-library-a", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "library-a", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" }, { "SPDXID": "SPDXRef-library-b", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "library-b", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" }, { "SPDXID": "SPDXRef-library-c", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "library-c", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_empty-components.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_empty-components.snap index 45fd3a5f..7015ea3b 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_empty-components.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_empty-components.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_evidence.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_evidence.snap index b366e8d6..ecfb11a6 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_evidence.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_evidence.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -17,18 +17,14 @@ "Copyright (C) 2005 William Pugh", "Copyright (C) 2004,2005 University of Maryland" ], - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", "licenseDeclared": "LGPL-3.0-or-later", "licenseInfoFromFiles": [ "Apache-2.0", "LGPL-2.1-only" ], "name": "findbugs-project", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "APPLICATION", "versionInfo": "3.0.0" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_external-reference.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_external-reference.snap index f6374e3c..9890a419 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_external-reference.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_external-reference.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,17 +11,9 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "mylibrary", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-expression.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-expression.snap index ef0c3923..e0c08c59 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-expression.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-expression.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,17 +11,10 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", "licenseDeclared": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "tomcat-catalina", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "9.0.14" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-id.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-id.snap index 82ece59e..9dd75835 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-id.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-id.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,17 +11,10 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", "licenseDeclared": "Apache-2.0", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "tomcat-catalina", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "9.0.14" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-name.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-name.snap index 699ed8bc..9aebae48 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-name.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_license-name.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,16 +11,9 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "tomcat-catalina", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "9.0.14" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-author.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-author.snap index b3d66e3b..89b5506b 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-author.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-author.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-license.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-license.snap index 45fd3a5f..7015ea3b 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-license.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-license.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-manufacture.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-manufacture.snap index 45fd3a5f..7015ea3b 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-manufacture.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-manufacture.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-supplier.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-supplier.snap index 45fd3a5f..7015ea3b 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-supplier.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-supplier.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-timestamp.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-timestamp.snap index 788a05b1..94af4887 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-timestamp.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-timestamp.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2020-04-13T20:20:39Z" diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-tool.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-tool.snap index e9384a1a..c755993f 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-tool.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_metadata-tool.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_minimal-viable.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_minimal-viable.snap index e324a56d..07a13cd6 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_minimal-viable.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_minimal-viable.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,17 +11,9 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "acme-library", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_patch.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_patch.snap index 9c2e9b27..3720dcd1 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_patch.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_patch.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,17 +11,9 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "sample-library", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_properties.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_properties.snap index e324a56d..07a13cd6 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_properties.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_properties.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -11,17 +11,9 @@ "packages": [ { "SPDXID": "SPDXRef-Package-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "acme-library", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.0" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_service-empty-objects.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_service-empty-objects.snap index 45fd3a5f..7015ea3b 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_service-empty-objects.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_service-empty-objects.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_service.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_service.snap index 2efc32a4..8f9291b7 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_service.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxTest_service.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This SPDX document has been converted from CycloneDX format.", "created": "2021-12-24T12:00:00Z" @@ -17,17 +17,10 @@ "checksumValue": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a" } ], - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", - "homepage": "NOASSERTION", - "licenseConcluded": "NOASSERTION", "licenseDeclared": "Apache-2.0", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "stock-java-client", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "1.0.12" } ] diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_assembly.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_assembly.snap index 6db3981b..94644e63 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_assembly.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_assembly.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -31,15 +31,13 @@ "type": "library", "name": "acme-library-a", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -47,34 +45,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_bom.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_bom.snap index 998c892b..d30693d1 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_bom.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_bom.snap @@ -22,7 +22,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -66,15 +66,10 @@ "expression": "Apache-2.0" } ], - "copyright": "NOASSERTION", "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -82,30 +77,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-pkg:npm/acme/component@1.0.0" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { "type": "library", @@ -120,15 +96,13 @@ "author": "Example Super Heros", "name": "mylibrary", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -136,14 +110,6 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-2" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, { "name": "spdx:package:originator:email", "value": "" @@ -151,15 +117,8 @@ { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-hashes.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-hashes.snap index 72d2b766..e7256aba 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-hashes.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-hashes.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -51,52 +51,55 @@ { "alg": "SHA-512", "content": "74a51ff45e4c11df9ba1f0094282c80489649cb157a75fa337992d2d4592a5a1b8cb4525de8db0ae25233553924d76c36e093ea7fa9df4e5b8b07fd2e074efd6" - } - ], - "copyright": "NOASSERTION", - "externalReferences": [ - { - "url": "NOASSERTION", - "type": "distribution" }, { - "url": "NOASSERTION", - "type": "website" - } - ], - "properties": [ + "alg": "SHA3-256", + "content": "7478c7cf41c883a04ee89f1813f687886d53fa86f791fff90690c6221e3853aa" + }, { - "name": "spdx:spdxid", - "value": "SPDXRef-Package-1" + "alg": "SHA3-384", + "content": "a1eea7229716487ad2ebe96b2f997a8408f32f14047994fbcc99b49012cf86c96dbd518e5d57a61b0e57dd37dd0b48f5" }, { - "name": "spdx:license-concluded", - "value": "NOASSERTION" + "alg": "SHA3-512", + "content": "7d584825bc1767dfabe7e82b45ccb7a1119b145fa17e76b885e71429c706cef0a3171bc6575b968eec5da56a7966c02fec5402fcee55097ac01d40c550de9d20" }, { - "name": "spdx:license-declared", - "value": "NOASSERTION" + "alg": "BLAKE2b-256", + "content": "d8779633380c050bccf4e733b763ab2abd8ad2db60b517d47fd29bbf76433237" }, { - "name": "spdx:package:originator", - "value": "NOASSERTION" + "alg": "BLAKE2b-384", + "content": "e728ba56c2da995a559a178116c594e8bee4894a79ceb4399d8f479e5563cb1942b85936f646d14170717c576b14db7a" }, { - "name": "spdx:package:supplier", - "value": "NOASSERTION" + "alg": "BLAKE2b-512", + "content": "f8ce8d612a6c85c96cf7cebc230f6ddef26e6cedcfbc4a41c766033cc08c6ba097d1470948226807fb2d88d2a2b6fc0ff5e5440e93a603086fdd568bafcd1a9d" }, { - "name": "spdx:download-location", - "value": "NOASSERTION" + "alg": "BLAKE3", + "content": "26cdc7fb3fd65fc3b621a4ef70bc7d2489d5c19e70c76cf7ec20e538df0047cf" + } + ], + "licenses": [ + {} + ], + "externalReferences": [ + { + "url": "NOASSERTION", + "type": "distribution" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-Package-1" }, { - "name": "spdx:homepage", + "name": "spdx:download-location", "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-ref.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-ref.snap index 0ae7e375..03ad59ba 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-ref.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-ref.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -31,15 +31,13 @@ "type": "library", "name": "acme-library", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -47,48 +45,23 @@ "name": "spdx:spdxid", "value": "SPDXRef-123" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { "type": "library", "name": "acme-library", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -96,34 +69,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-456" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-swid-full.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-swid-full.snap index defab87e..657c64eb 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-swid-full.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-swid-full.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -28,19 +28,17 @@ }, "components": [ { - "type": "library", + "type": "application", "author": "Acme Super Heros", "name": "Acme Application", "version": "9.1.1", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -48,34 +46,15 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, { "name": "spdx:package:originator:email", "value": "" }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-swid.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-swid.snap index defab87e..657c64eb 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-swid.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-swid.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -28,19 +28,17 @@ }, "components": [ { - "type": "library", + "type": "application", "author": "Acme Super Heros", "name": "Acme Application", "version": "9.1.1", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -48,34 +46,15 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, { "name": "spdx:package:originator:email", "value": "" }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-types.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-types.snap index c41fa5f6..84e5917d 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-types.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_component-types.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -28,18 +28,16 @@ }, "components": [ { - "type": "library", + "type": "application", "name": "application-a", "version": "1.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -47,48 +45,23 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { "type": "library", "name": "library-a", "version": "1.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -96,48 +69,23 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-2" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { - "type": "library", + "type": "framework", "name": "framework-a", "version": "1.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -145,48 +93,23 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-3" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { - "type": "library", + "type": "container", "name": "container-a", "version": "1.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -194,48 +117,23 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-4" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { - "type": "library", + "type": "operating-system", "name": "operating-system-a", "version": "1.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -243,48 +141,23 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-5" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { - "type": "library", + "type": "firmware", "name": "firmware-a", "version": "1.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -292,47 +165,19 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-6" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { "type": "file", "name": "file-a", - "copyright": "NOASSERTION", "properties": [ { "name": "spdx:spdxid", "value": "SPDXRef-File-1" - }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_compositions.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_compositions.snap index 96262181..5850608f 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_compositions.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_compositions.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -31,15 +31,13 @@ "type": "library", "name": "Partner Shaded Library", "version": "1.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -47,48 +45,23 @@ "name": "spdx:spdxid", "value": "SPDXRef-pkg:maven/partner/shaded-library@1.0" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { "type": "library", "name": "Acme Library", "version": "3.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -96,34 +69,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-2" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_dependency.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_dependency.snap index 7bada5ff..044d94b9 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_dependency.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_dependency.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -31,15 +31,13 @@ "type": "library", "name": "library-a", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -47,48 +45,23 @@ "name": "spdx:spdxid", "value": "SPDXRef-library-a" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { "type": "library", "name": "library-b", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -96,48 +69,23 @@ "name": "spdx:spdxid", "value": "SPDXRef-library-b" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] }, { "type": "library", "name": "library-c", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -145,34 +93,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-library-c" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_empty-components.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_empty-components.snap index ce58aaa2..cd376098 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_empty-components.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_empty-components.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_evidence.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_evidence.snap index 1978fa7b..e21a4e62 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_evidence.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_evidence.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -28,7 +28,7 @@ }, "components": [ { - "type": "library", + "type": "application", "name": "findbugs-project", "version": "3.0.0", "licenses": [ @@ -36,15 +36,10 @@ "expression": "LGPL-3.0-or-later" } ], - "copyright": "NOASSERTION", "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -52,25 +47,9 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } ], "evidence": { diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_external-reference.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_external-reference.snap index 63afee4a..27007e93 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_external-reference.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_external-reference.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -31,15 +31,13 @@ "type": "library", "name": "mylibrary", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -47,34 +45,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-expression.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-expression.snap index ebb7a639..4959d6ef 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-expression.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-expression.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -36,15 +36,10 @@ "expression": "EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0" } ], - "copyright": "NOASSERTION", "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -52,30 +47,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-id.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-id.snap index 8aec8085..870dfc10 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-id.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-id.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -36,15 +36,10 @@ "expression": "Apache-2.0" } ], - "copyright": "NOASSERTION", "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -52,30 +47,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-name.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-name.snap index 9e3615e2..d64825b9 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-name.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_license-name.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -34,15 +34,10 @@ "licenses": [ {} ], - "copyright": "NOASSERTION", "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -50,30 +45,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-author.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-author.snap index 2f838ba7..9b2ff3ba 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-author.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-author.snap @@ -16,7 +16,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-license.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-license.snap index ce58aaa2..cd376098 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-license.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-license.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-manufacture.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-manufacture.snap index ce58aaa2..cd376098 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-manufacture.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-manufacture.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-supplier.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-supplier.snap index ce58aaa2..cd376098 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-supplier.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-supplier.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-timestamp.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-timestamp.snap index acffd1e5..daa87c85 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-timestamp.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-timestamp.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-tool.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-tool.snap index ab653b43..46541abd 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-tool.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_metadata-tool.snap @@ -16,7 +16,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_minimal-viable.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_minimal-viable.snap index 7b97d207..9f661bab 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_minimal-viable.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_minimal-viable.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -31,15 +31,13 @@ "type": "library", "name": "acme-library", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -47,34 +45,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_patch.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_patch.snap index 6ee97859..1f04ebf1 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_patch.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_patch.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -31,15 +31,13 @@ "type": "library", "name": "sample-library", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -47,34 +45,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_properties.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_properties.snap index 7b97d207..9f661bab 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_properties.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_properties.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -31,15 +31,13 @@ "type": "library", "name": "acme-library", "version": "1.0.0", - "copyright": "NOASSERTION", + "licenses": [ + {} + ], "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -47,34 +45,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-Package-1" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:license-declared", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_service-empty-objects.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_service-empty-objects.snap index ce58aaa2..cd376098 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_service-empty-objects.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_service-empty-objects.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_service.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_service.snap index 01643775..17e04b3e 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_service.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromCDXToSpdxToCDXRoundTripTest_service.snap @@ -10,7 +10,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:document:name", @@ -42,15 +42,10 @@ "expression": "Apache-2.0" } ], - "copyright": "NOASSERTION", "externalReferences": [ { "url": "NOASSERTION", "type": "distribution" - }, - { - "url": "NOASSERTION", - "type": "website" } ], "properties": [ @@ -58,30 +53,11 @@ "name": "spdx:spdxid", "value": "SPDXRef-pkg:npm/acme/component@1.0.0" }, - { - "name": "spdx:license-concluded", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:originator", - "value": "NOASSERTION" - }, - { - "name": "spdx:package:supplier", - "value": "NOASSERTION" - }, { "name": "spdx:download-location", "value": "NOASSERTION" - }, - { - "name": "spdx:homepage", - "value": "NOASSERTION" } - ], - "evidence": { - "licenses": [] - } + ] } ] } diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_document.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_document.snap index db0d6abd..decb3d68 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_document.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_document.snap @@ -26,7 +26,7 @@ }, { "name": "spdx:document:spdx-version", - "value": "SPDX-2.2" + "value": "SPDX-2.3" }, { "name": "spdx:comment", @@ -80,7 +80,7 @@ }, "components": [ { - "type": "library", + "type": "framework", "supplier": { "name": "Jane Doe", "contact": [ @@ -95,13 +95,9 @@ "description": "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.", "hashes": [ { - "alg": "MD5", + "alg": "BLAKE2b-512", "content": "624c1abb3664f4b35547e7c73864ad24" }, - { - "alg": "SHA-1", - "content": "85ed0817af83a24ad8da68c2b5094de69833983c" - }, { "alg": "SHA-256", "content": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" @@ -164,6 +160,18 @@ "name": "spdx:package:summary", "value": "GNU C library." }, + { + "name": "spdx:package:built-date", + "value": "2011-01-29T18:30:22Z" + }, + { + "name": "spdx:package:release-date", + "value": "2012-01-29T18:30:22Z" + }, + { + "name": "spdx:package:valid-until-date", + "value": "2014-01-29T18:30:22Z" + }, { "name": "spdx:package:originator:organization", "value": "ExampleCodeInspect" @@ -172,12 +180,16 @@ "name": "spdx:package:originator:email", "value": "contact@example.com" }, + { + "name": "spdx:checksum:adler32", + "value": "85ed0817af83a24ad8da68c2b5094de69833983c" + }, { "name": "spdx:external-reference:security:cpe23", "value": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*" }, { - "name": "spdx:external-reference:other:http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge", + "name": "spdx:external-reference:persistent-id:swh", "value": "acmecorp/acmenator/4.1.3-alpha This is the external ref for Acme" }, { @@ -264,7 +276,7 @@ ] }, { - "type": "library", + "type": "application", "name": "Jena", "version": "3.12.0", "copyright": "NOASSERTION", diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.2document.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.2document.snap new file mode 100644 index 00000000..e0237d2f --- /dev/null +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.2document.snap @@ -0,0 +1,551 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "metadata": { + "timestamp": "2010-01-29T18:30:22Z", + "tools": [ + { + "name": "LicenseFind", + "version": "1.0" + } + ], + "authors": [ + { + "name": "ExampleCodeInspect", + "email": "" + }, + { + "name": "Jane Doe", + "email": "" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-DOCUMENT" + }, + { + "name": "spdx:document:spdx-version", + "value": "SPDX-2.3" + }, + { + "name": "spdx:comment", + "value": "This document was created using CycloneDX.Spdx 2.0 using licenses from the web site." + }, + { + "name": "spdx:document:name", + "value": "SPDX-Tools-v2.0" + }, + { + "name": "spdx:document:document-namespace", + "value": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301" + }, + { + "name": "spdx:creation-info:comment", + "value": "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries." + }, + { + "name": "spdx:creation-info:creators-organization", + "value": "ExampleCodeInspect" + }, + { + "name": "spdx:creation-info:license-list-version", + "value": "3.9" + }, + { + "name": "spdx:document:external-document-ref", + "value": "{\u0022ExternalDocumentId\u0022:\u0022DocumentRef-spdx-tool-1.2\u0022,\u0022Checksum\u0022:{\u0022Algorithm\u0022:1,\u0022ChecksumValue\u0022:\u0022d6a770ba38583ed4bb4525bd96e50461655d2759\u0022},\u0022SpdxDocument\u0022:\u0022http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301\u0022}" + }, + { + "name": "spdx:annotation", + "value": "{\u0022AnnotationDate\u0022:\u00222010-01-29T18:30:22Z\u0022,\u0022AnnotationType\u0022:0,\u0022Annotator\u0022:\u0022Person: Jane Doe ()\u0022,\u0022Comment\u0022:\u0022Document level annotation\u0022}" + }, + { + "name": "spdx:annotation", + "value": "{\u0022AnnotationDate\u0022:\u00222010-02-10T00:00:00Z\u0022,\u0022AnnotationType\u0022:1,\u0022Annotator\u0022:\u0022Person: Joe Reviewer\u0022,\u0022Comment\u0022:\u0022This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses\u0022}" + }, + { + "name": "spdx:annotation", + "value": "{\u0022AnnotationDate\u0022:\u00222011-03-13T00:00:00Z\u0022,\u0022AnnotationType\u0022:1,\u0022Annotator\u0022:\u0022Person: Suzanne Reviewer\u0022,\u0022Comment\u0022:\u0022Another example reviewer.\u0022}" + }, + { + "name": "spdx:document:describes", + "value": "SPDXRef-File" + }, + { + "name": "spdx:document:describes", + "value": "SPDXRef-Package" + } + ] + }, + "components": [ + { + "type": "library", + "supplier": { + "name": "Jane Doe", + "contact": [ + { + "email": "jane.doe@example.com" + } + ] + }, + "author": "ExampleCodeInspect", + "name": "glibc", + "version": "2.11.1", + "description": "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.", + "hashes": [ + { + "alg": "MD5", + "content": "624c1abb3664f4b35547e7c73864ad24" + }, + { + "alg": "SHA-1", + "content": "85ed0817af83a24ad8da68c2b5094de69833983c" + }, + { + "alg": "SHA-256", + "content": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + } + ], + "licenses": [ + { + "expression": "(LGPL-2.0-only AND LicenseRef-3)" + } + ], + "copyright": "Copyright 2008-2010 John Smith", + "externalReferences": [ + { + "url": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz", + "type": "distribution" + }, + { + "url": "http://ftp.gnu.org/gnu/glibc", + "type": "website" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-Package" + }, + { + "name": "spdx:annotation", + "value": "{\u0022AnnotationDate\u0022:\u00222011-01-29T18:30:22Z\u0022,\u0022AnnotationType\u0022:0,\u0022Annotator\u0022:\u0022Person: Package Commenter\u0022,\u0022Comment\u0022:\u0022Package level annotation\u0022}" + }, + { + "name": "spdx:files-analyzed", + "value": "true" + }, + { + "name": "spdx:license-comments", + "value": "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change." + }, + { + "name": "spdx:license-concluded", + "value": "(LGPL-2.0-only OR LicenseRef-3)" + }, + { + "name": "spdx:package:file-name", + "value": "glibc-2.11.1.tar.gz" + }, + { + "name": "spdx:package:verification-code:value", + "value": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + { + "name": "spdx:package:verification-code:excluded-file", + "value": "./package.spdx" + }, + { + "name": "spdx:package:source-info", + "value": "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git." + }, + { + "name": "spdx:package:summary", + "value": "GNU C library." + }, + { + "name": "spdx:package:originator:organization", + "value": "ExampleCodeInspect" + }, + { + "name": "spdx:package:originator:email", + "value": "contact@example.com" + }, + { + "name": "spdx:external-reference:security:cpe23", + "value": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*" + }, + { + "name": "spdx:external-reference:other:http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge", + "value": "acmecorp/acmenator/4.1.3-alpha This is the external ref for Acme" + }, + { + "name": "spdx:download-location", + "value": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz" + }, + { + "name": "spdx:homepage", + "value": "http://ftp.gnu.org/gnu/glibc" + } + ], + "evidence": { + "licenses": [ + { + "license": { + "id": "GPL-2.0-only" + } + }, + { + "license": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "VGhpcyBwYWNrYWdlIGluY2x1ZGVzIHRoZSBHUkRETCBwYXJzZXIgZGV2ZWxvcGVkIGJ5IEhld2xldHQgUGFja2FyZCB1bmRlciB0aGUgZm9sbG93aW5nIGxpY2Vuc2U6Cu\u002B/vSBDb3B5cmlnaHQgMjAwNyBIZXdsZXR0LVBhY2thcmQgRGV2ZWxvcG1lbnQgQ29tcGFueSwgTFAKClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dCBtb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlIG1ldDogCgpSZWRpc3RyaWJ1dGlvbnMgb2Ygc291cmNlIGNvZGUgbXVzdCByZXRhaW4gdGhlIGFib3ZlIGNvcHlyaWdodCBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuIApSZWRpc3RyaWJ1dGlvbnMgaW4gYmluYXJ5IGZvcm0gbXVzdCByZXByb2R1Y2UgdGhlIGFib3ZlIGNvcHlyaWdodCBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIgaW4gdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZSBkaXN0cmlidXRpb24uIApUaGUgbmFtZSBvZiB0aGUgYXV0aG9yIG1heSBub3QgYmUgdXNlZCB0byBlbmRvcnNlIG9yIHByb21vdGUgcHJvZHVjdHMgZGVyaXZlZCBmcm9tIHRoaXMgc29mdHdhcmUgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uIApUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBBVVRIT1IgYGBBUyBJUycnIEFORCBBTlkgRVhQUkVTUyBPUiBJTVBMSUVEIFdBUlJBTlRJRVMsIElOQ0xVRElORywgQlVUIE5PVCBMSU1JVEVEIFRPLCBUSEUgSU1QTElFRCBXQVJSQU5USUVTIE9GIE1FUkNIQU5UQUJJTElUWSBBTkQgRklUTkVTUyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UgQVJFIERJU0NMQUlNRUQuIElOIE5PIEVWRU5UIFNIQUxMIFRIRSBBVVRIT1IgQkUgTElBQkxFIEZPUiBBTlkgRElSRUNULCBJTkRJUkVDVCwgSU5DSURFTlRBTCwgU1BFQ0lBTCwgRVhFTVBMQVJZLCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMgKElOQ0xVRElORywgQlVUIE5PVCBMSU1JVEVEIFRPLCBQUk9DVVJFTUVOVCBPRiBTVUJTVElUVVRFIEdPT0RTIE9SIFNFUlZJQ0VTOyBMT1NTIE9GIFVTRSwgREFUQSwgT1IgUFJPRklUUzsgT1IgQlVTSU5FU1MgSU5URVJSVVBUSU9OKSBIT1dFVkVSIENBVVNFRCBBTkQgT04gQU5ZIFRIRU9SWSBPRiBMSUFCSUxJVFksIFdIRVRIRVIgSU4gQ09OVFJBQ1QsIFNUUklDVCBMSUFCSUxJVFksIE9SIFRPUlQgKElOQ0xVRElORyBORUdMSUdFTkNFIE9SIE9USEVSV0lTRSkgQVJJU0lORyBJTiBBTlkgV0FZIE9VVCBPRiBUSEUgVVNFIE9GIFRISVMgU09GVFdBUkUsIEVWRU4gSUYgQURWSVNFRCBPRiBUSEUgUE9TU0lCSUxJVFkgT0YgU1VDSCBEQU1BR0Uu" + } + } + }, + { + "license": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "LyoKICogKGMpIENvcHlyaWdodCAyMDAwLCAyMDAxLCAyMDAyLCAyMDAzLCAyMDA0LCAyMDA1LCAyMDA2LCAyMDA3LCAyMDA4LCAyMDA5IEhld2xldHQtUGFja2FyZCBEZXZlbG9wbWVudCBDb21wYW55LCBMUAogKiBBbGwgcmlnaHRzIHJlc2VydmVkLgogKgogKiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKICogbW9kaWZpY2F0aW9uLCBhcmUgcGVybWl0dGVkIHByb3ZpZGVkIHRoYXQgdGhlIGZvbGxvd2luZyBjb25kaXRpb25zCiAqIGFyZSBtZXQ6CiAqIDEuIFJlZGlzdHJpYnV0aW9ucyBvZiBzb3VyY2UgY29kZSBtdXN0IHJldGFpbiB0aGUgYWJvdmUgY29weXJpZ2h0CiAqICAgIG5vdGljZSwgdGhpcyBsaXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dpbmcgZGlzY2xhaW1lci4KICogMi4gUmVkaXN0cmlidXRpb25zIGluIGJpbmFyeSBmb3JtIG11c3QgcmVwcm9kdWNlIHRoZSBhYm92ZSBjb3B5cmlnaHQKICogICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluIHRoZQogKiAgICBkb2N1bWVudGF0aW9uIGFuZC9vciBvdGhlciBtYXRlcmlhbHMgcHJvdmlkZWQgd2l0aCB0aGUgZGlzdHJpYnV0aW9uLgogKiAzLiBUaGUgbmFtZSBvZiB0aGUgYXV0aG9yIG1heSBub3QgYmUgdXNlZCB0byBlbmRvcnNlIG9yIHByb21vdGUgcHJvZHVjdHMKICogICAgZGVyaXZlZCBmcm9tIHRoaXMgc29mdHdhcmUgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCiAqCiAqIFRISVMgU09GVFdBUkUgSVMgUFJPVklERUQgQlkgVEhFIEFVVEhPUiBgYEFTIElTJycgQU5EIEFOWSBFWFBSRVNTIE9SCiAqIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMKICogT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4KICogSU4gTk8gRVZFTlQgU0hBTEwgVEhFIEFVVEhPUiBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULAogKiBJTkNJREVOVEFMLCBTUEVDSUFMLCBFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQKICogTk9UIExJTUlURUQgVE8sIFBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLAogKiBEQVRBLCBPUiBQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkKICogVEhFT1JZIE9GIExJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVAogKiAoSU5DTFVESU5HIE5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YKICogVEhJUyBTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4KKi8=" + } + } + } + ], + "copyright": [ + { + "text": "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." + } + ] + } + }, + { + "type": "library", + "name": "Apache Commons Lang", + "copyright": "NOASSERTION", + "externalReferences": [ + { + "url": "NOASSERTION", + "type": "distribution" + }, + { + "url": "http://commons.apache.org/proper/commons-lang/", + "type": "website" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-fromDoap-1" + }, + { + "name": "spdx:files-analyzed", + "value": "false" + }, + { + "name": "spdx:license-concluded", + "value": "NOASSERTION" + }, + { + "name": "spdx:license-declared", + "value": "NOASSERTION" + }, + { + "name": "spdx:download-location", + "value": "NOASSERTION" + }, + { + "name": "spdx:homepage", + "value": "http://commons.apache.org/proper/commons-lang/" + } + ] + }, + { + "type": "library", + "name": "Jena", + "version": "3.12.0", + "copyright": "NOASSERTION", + "externalReferences": [ + { + "url": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", + "type": "distribution" + }, + { + "url": "http://www.openjena.org/", + "type": "website" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-fromDoap-0" + }, + { + "name": "spdx:files-analyzed", + "value": "false" + }, + { + "name": "spdx:license-concluded", + "value": "NOASSERTION" + }, + { + "name": "spdx:license-declared", + "value": "NOASSERTION" + }, + { + "name": "spdx:external-reference:package-manager:purl", + "value": "pkg:maven/org.apache.jena/apache-jena@3.12.0" + }, + { + "name": "spdx:download-location", + "value": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz" + }, + { + "name": "spdx:homepage", + "value": "http://www.openjena.org/" + } + ] + }, + { + "type": "library", + "name": "Saxon", + "version": "8.8", + "description": "The Saxon package is a collection of tools for processing XML documents.", + "hashes": [ + { + "alg": "SHA-1", + "content": "85ed0817af83a24ad8da68c2b5094de69833983c" + } + ], + "licenses": [ + { + "expression": "MPL-1.0" + } + ], + "copyright": "Copyright Saxonica Ltd", + "externalReferences": [ + { + "url": "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download", + "type": "distribution" + }, + { + "url": "http://saxon.sourceforge.net/", + "type": "website" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-Saxon" + }, + { + "name": "spdx:files-analyzed", + "value": "false" + }, + { + "name": "spdx:license-comments", + "value": "Other versions available for a commercial license" + }, + { + "name": "spdx:license-concluded", + "value": "MPL-1.0" + }, + { + "name": "spdx:package:file-name", + "value": "saxonB-8.8.zip" + }, + { + "name": "spdx:download-location", + "value": "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download" + }, + { + "name": "spdx:homepage", + "value": "http://saxon.sourceforge.net/" + } + ] + }, + { + "type": "file", + "name": "./src/org/spdx/parser/DOAPProject.java", + "hashes": [ + { + "alg": "SHA-1", + "content": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" + } + ], + "copyright": "Copyright 2010, 2011 Source Auditor Inc.", + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-DoapSource" + }, + { + "name": "spdx:file:type", + "value": "7" + }, + { + "name": "spdx:license-concluded", + "value": "Apache-2.0" + }, + { + "name": "spdx:file:contributor", + "value": "Protecode Inc." + }, + { + "name": "spdx:file:contributor", + "value": "SPDX Technical Team Members" + }, + { + "name": "spdx:file:contributor", + "value": "Open Logic Inc." + }, + { + "name": "spdx:file:contributor", + "value": "Source Auditor Inc." + }, + { + "name": "spdx:file:contributor", + "value": "Black Duck Software In.c" + } + ] + }, + { + "type": "file", + "name": "./lib-source/commons-lang3-3.1-sources.jar", + "hashes": [ + { + "alg": "SHA-1", + "content": "c2b4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "copyright": "Copyright 2001-2011 The Apache Software Foundation", + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-CommonsLangSrc" + }, + { + "name": "spdx:comment", + "value": "This file is used by Jena" + }, + { + "name": "spdx:file:type", + "value": "4" + }, + { + "name": "spdx:license-concluded", + "value": "Apache-2.0" + }, + { + "name": "spdx:file:contributor", + "value": "Apache Software Foundation" + }, + { + "name": "spdx:file:notice-text", + "value": "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())" + } + ] + }, + { + "type": "file", + "name": "./lib-source/jena-2.6.3-sources.jar", + "hashes": [ + { + "alg": "SHA-1", + "content": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "copyright": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-JenaLib" + }, + { + "name": "spdx:comment", + "value": "This file belongs to Jena" + }, + { + "name": "spdx:file:type", + "value": "4" + }, + { + "name": "spdx:license-comments", + "value": "This license is used by Jena" + }, + { + "name": "spdx:license-concluded", + "value": "LicenseRef-1" + }, + { + "name": "spdx:file:contributor", + "value": "Apache Software Foundation" + }, + { + "name": "spdx:file:contributor", + "value": "Hewlett Packard Inc." + } + ] + }, + { + "type": "file", + "name": "./package/foo.c", + "hashes": [ + { + "alg": "SHA-1", + "content": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + { + "alg": "MD5", + "content": "624c1abb3664f4b35547e7c73864ad24" + } + ], + "copyright": "Copyright 2008-2010 John Smith", + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-File" + }, + { + "name": "spdx:comment", + "value": "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory." + }, + { + "name": "spdx:file:type", + "value": "7" + }, + { + "name": "spdx:annotation", + "value": "{\u0022AnnotationDate\u0022:\u00222011-01-29T18:30:22Z\u0022,\u0022AnnotationType\u0022:0,\u0022Annotator\u0022:\u0022Person: File Commenter\u0022,\u0022Comment\u0022:\u0022File level annotation\u0022}" + }, + { + "name": "spdx:license-comments", + "value": "The concluded license was taken from the package level that the file was included in." + }, + { + "name": "spdx:license-concluded", + "value": "(LGPL-2.0-only OR LicenseRef-2)" + }, + { + "name": "spdx:file:contributor", + "value": "The Regents of the University of California" + }, + { + "name": "spdx:file:contributor", + "value": "Modified by Paul Mundt lethal@linux-sh.org" + }, + { + "name": "spdx:file:contributor", + "value": "IBM Corporation" + }, + { + "name": "spdx:file:notice-text", + "value": "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \uFFFDSoftware\uFFFD), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \uFFFDAS IS\u0027, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + } + ] + } + ] +} diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.3document.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.3document.snap new file mode 100644 index 00000000..4dc440e2 --- /dev/null +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.3document.snap @@ -0,0 +1,555 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.6", + "metadata": { + "timestamp": "2010-01-29T18:30:22Z", + "tools": [ + { + "name": "LicenseFind", + "version": "1.0" + } + ], + "authors": [ + { + "name": "ExampleCodeInspect", + "email": "" + }, + { + "name": "Jane Doe", + "email": "" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-DOCUMENT" + }, + { + "name": "spdx:document:spdx-version", + "value": "SPDX-2.3" + }, + { + "name": "spdx:comment", + "value": "This document was created using CycloneDX.Spdx 2.0 using licenses from the web site." + }, + { + "name": "spdx:document:name", + "value": "SPDX-Tools-v2.0" + }, + { + "name": "spdx:document:document-namespace", + "value": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301" + }, + { + "name": "spdx:creation-info:comment", + "value": "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries." + }, + { + "name": "spdx:creation-info:creators-organization", + "value": "ExampleCodeInspect" + }, + { + "name": "spdx:creation-info:license-list-version", + "value": "3.9" + }, + { + "name": "spdx:document:external-document-ref", + "value": "{\u0022ExternalDocumentId\u0022:\u0022DocumentRef-spdx-tool-1.2\u0022,\u0022Checksum\u0022:{\u0022Algorithm\u0022:1,\u0022ChecksumValue\u0022:\u0022d6a770ba38583ed4bb4525bd96e50461655d2759\u0022},\u0022SpdxDocument\u0022:\u0022http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301\u0022}" + }, + { + "name": "spdx:annotation", + "value": "{\u0022AnnotationDate\u0022:\u00222010-01-29T18:30:22Z\u0022,\u0022AnnotationType\u0022:0,\u0022Annotator\u0022:\u0022Person: Jane Doe ()\u0022,\u0022Comment\u0022:\u0022Document level annotation\u0022}" + }, + { + "name": "spdx:annotation", + "value": "{\u0022AnnotationDate\u0022:\u00222010-02-10T00:00:00Z\u0022,\u0022AnnotationType\u0022:1,\u0022Annotator\u0022:\u0022Person: Joe Reviewer\u0022,\u0022Comment\u0022:\u0022This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses\u0022}" + }, + { + "name": "spdx:annotation", + "value": "{\u0022AnnotationDate\u0022:\u00222011-03-13T00:00:00Z\u0022,\u0022AnnotationType\u0022:1,\u0022Annotator\u0022:\u0022Person: Suzanne Reviewer\u0022,\u0022Comment\u0022:\u0022Another example reviewer.\u0022}" + }, + { + "name": "spdx:document:describes", + "value": "SPDXRef-File" + }, + { + "name": "spdx:document:describes", + "value": "SPDXRef-Package" + } + ] + }, + "components": [ + { + "type": "framework", + "supplier": { + "name": "Jane Doe", + "contact": [ + { + "email": "jane.doe@example.com" + } + ] + }, + "author": "ExampleCodeInspect", + "name": "glibc", + "version": "2.11.1", + "description": "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.", + "hashes": [ + { + "alg": "BLAKE2b-512", + "content": "624c1abb3664f4b35547e7c73864ad24" + }, + { + "alg": "SHA-256", + "content": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + } + ], + "licenses": [ + { + "expression": "(LGPL-2.0-only AND LicenseRef-3)" + } + ], + "copyright": "Copyright 2008-2010 John Smith", + "externalReferences": [ + { + "url": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz", + "type": "distribution" + }, + { + "url": "http://ftp.gnu.org/gnu/glibc", + "type": "website" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-Package" + }, + { + "name": "spdx:annotation", + "value": "{\u0022AnnotationDate\u0022:\u00222011-01-29T18:30:22Z\u0022,\u0022AnnotationType\u0022:0,\u0022Annotator\u0022:\u0022Person: Package Commenter\u0022,\u0022Comment\u0022:\u0022Package level annotation\u0022}" + }, + { + "name": "spdx:files-analyzed", + "value": "true" + }, + { + "name": "spdx:license-comments", + "value": "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change." + }, + { + "name": "spdx:license-concluded", + "value": "(LGPL-2.0-only OR LicenseRef-3)" + }, + { + "name": "spdx:package:file-name", + "value": "glibc-2.11.1.tar.gz" + }, + { + "name": "spdx:package:verification-code:value", + "value": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + { + "name": "spdx:package:verification-code:excluded-file", + "value": "./package.spdx" + }, + { + "name": "spdx:package:source-info", + "value": "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git." + }, + { + "name": "spdx:package:summary", + "value": "GNU C library." + }, + { + "name": "spdx:package:built-date", + "value": "2011-01-29T18:30:22Z" + }, + { + "name": "spdx:package:release-date", + "value": "2012-01-29T18:30:22Z" + }, + { + "name": "spdx:package:valid-until-date", + "value": "2014-01-29T18:30:22Z" + }, + { + "name": "spdx:package:originator:organization", + "value": "ExampleCodeInspect" + }, + { + "name": "spdx:package:originator:email", + "value": "contact@example.com" + }, + { + "name": "spdx:checksum:adler32", + "value": "85ed0817af83a24ad8da68c2b5094de69833983c" + }, + { + "name": "spdx:external-reference:security:cpe23", + "value": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*" + }, + { + "name": "spdx:external-reference:persistent-id:swh", + "value": "acmecorp/acmenator/4.1.3-alpha This is the external ref for Acme" + }, + { + "name": "spdx:download-location", + "value": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz" + }, + { + "name": "spdx:homepage", + "value": "http://ftp.gnu.org/gnu/glibc" + } + ], + "evidence": { + "licenses": [ + { + "license": { + "id": "GPL-2.0-only" + } + }, + { + "license": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "VGhpcyBwYWNrYWdlIGluY2x1ZGVzIHRoZSBHUkRETCBwYXJzZXIgZGV2ZWxvcGVkIGJ5IEhld2xldHQgUGFja2FyZCB1bmRlciB0aGUgZm9sbG93aW5nIGxpY2Vuc2U6Cu\u002B/vSBDb3B5cmlnaHQgMjAwNyBIZXdsZXR0LVBhY2thcmQgRGV2ZWxvcG1lbnQgQ29tcGFueSwgTFAKClJlZGlzdHJpYnV0aW9uIGFuZCB1c2UgaW4gc291cmNlIGFuZCBiaW5hcnkgZm9ybXMsIHdpdGggb3Igd2l0aG91dCBtb2RpZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRpdGlvbnMgYXJlIG1ldDogCgpSZWRpc3RyaWJ1dGlvbnMgb2Ygc291cmNlIGNvZGUgbXVzdCByZXRhaW4gdGhlIGFib3ZlIGNvcHlyaWdodCBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIuIApSZWRpc3RyaWJ1dGlvbnMgaW4gYmluYXJ5IGZvcm0gbXVzdCByZXByb2R1Y2UgdGhlIGFib3ZlIGNvcHlyaWdodCBub3RpY2UsIHRoaXMgbGlzdCBvZiBjb25kaXRpb25zIGFuZCB0aGUgZm9sbG93aW5nIGRpc2NsYWltZXIgaW4gdGhlIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1hdGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZSBkaXN0cmlidXRpb24uIApUaGUgbmFtZSBvZiB0aGUgYXV0aG9yIG1heSBub3QgYmUgdXNlZCB0byBlbmRvcnNlIG9yIHByb21vdGUgcHJvZHVjdHMgZGVyaXZlZCBmcm9tIHRoaXMgc29mdHdhcmUgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uIApUSElTIFNPRlRXQVJFIElTIFBST1ZJREVEIEJZIFRIRSBBVVRIT1IgYGBBUyBJUycnIEFORCBBTlkgRVhQUkVTUyBPUiBJTVBMSUVEIFdBUlJBTlRJRVMsIElOQ0xVRElORywgQlVUIE5PVCBMSU1JVEVEIFRPLCBUSEUgSU1QTElFRCBXQVJSQU5USUVTIE9GIE1FUkNIQU5UQUJJTElUWSBBTkQgRklUTkVTUyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UgQVJFIERJU0NMQUlNRUQuIElOIE5PIEVWRU5UIFNIQUxMIFRIRSBBVVRIT1IgQkUgTElBQkxFIEZPUiBBTlkgRElSRUNULCBJTkRJUkVDVCwgSU5DSURFTlRBTCwgU1BFQ0lBTCwgRVhFTVBMQVJZLCBPUiBDT05TRVFVRU5USUFMIERBTUFHRVMgKElOQ0xVRElORywgQlVUIE5PVCBMSU1JVEVEIFRPLCBQUk9DVVJFTUVOVCBPRiBTVUJTVElUVVRFIEdPT0RTIE9SIFNFUlZJQ0VTOyBMT1NTIE9GIFVTRSwgREFUQSwgT1IgUFJPRklUUzsgT1IgQlVTSU5FU1MgSU5URVJSVVBUSU9OKSBIT1dFVkVSIENBVVNFRCBBTkQgT04gQU5ZIFRIRU9SWSBPRiBMSUFCSUxJVFksIFdIRVRIRVIgSU4gQ09OVFJBQ1QsIFNUUklDVCBMSUFCSUxJVFksIE9SIFRPUlQgKElOQ0xVRElORyBORUdMSUdFTkNFIE9SIE9USEVSV0lTRSkgQVJJU0lORyBJTiBBTlkgV0FZIE9VVCBPRiBUSEUgVVNFIE9GIFRISVMgU09GVFdBUkUsIEVWRU4gSUYgQURWSVNFRCBPRiBUSEUgUE9TU0lCSUxJVFkgT0YgU1VDSCBEQU1BR0Uu" + } + } + }, + { + "license": { + "text": { + "contentType": "text/plain", + "encoding": "base64", + "content": "LyoKICogKGMpIENvcHlyaWdodCAyMDAwLCAyMDAxLCAyMDAyLCAyMDAzLCAyMDA0LCAyMDA1LCAyMDA2LCAyMDA3LCAyMDA4LCAyMDA5IEhld2xldHQtUGFja2FyZCBEZXZlbG9wbWVudCBDb21wYW55LCBMUAogKiBBbGwgcmlnaHRzIHJlc2VydmVkLgogKgogKiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKICogbW9kaWZpY2F0aW9uLCBhcmUgcGVybWl0dGVkIHByb3ZpZGVkIHRoYXQgdGhlIGZvbGxvd2luZyBjb25kaXRpb25zCiAqIGFyZSBtZXQ6CiAqIDEuIFJlZGlzdHJpYnV0aW9ucyBvZiBzb3VyY2UgY29kZSBtdXN0IHJldGFpbiB0aGUgYWJvdmUgY29weXJpZ2h0CiAqICAgIG5vdGljZSwgdGhpcyBsaXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dpbmcgZGlzY2xhaW1lci4KICogMi4gUmVkaXN0cmlidXRpb25zIGluIGJpbmFyeSBmb3JtIG11c3QgcmVwcm9kdWNlIHRoZSBhYm92ZSBjb3B5cmlnaHQKICogICAgbm90aWNlLCB0aGlzIGxpc3Qgb2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyIGluIHRoZQogKiAgICBkb2N1bWVudGF0aW9uIGFuZC9vciBvdGhlciBtYXRlcmlhbHMgcHJvdmlkZWQgd2l0aCB0aGUgZGlzdHJpYnV0aW9uLgogKiAzLiBUaGUgbmFtZSBvZiB0aGUgYXV0aG9yIG1heSBub3QgYmUgdXNlZCB0byBlbmRvcnNlIG9yIHByb21vdGUgcHJvZHVjdHMKICogICAgZGVyaXZlZCBmcm9tIHRoaXMgc29mdHdhcmUgd2l0aG91dCBzcGVjaWZpYyBwcmlvciB3cml0dGVuIHBlcm1pc3Npb24uCiAqCiAqIFRISVMgU09GVFdBUkUgSVMgUFJPVklERUQgQlkgVEhFIEFVVEhPUiBgYEFTIElTJycgQU5EIEFOWSBFWFBSRVNTIE9SCiAqIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sIFRIRSBJTVBMSUVEIFdBUlJBTlRJRVMKICogT0YgTUVSQ0hBTlRBQklMSVRZIEFORCBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRSBBUkUgRElTQ0xBSU1FRC4KICogSU4gTk8gRVZFTlQgU0hBTEwgVEhFIEFVVEhPUiBCRSBMSUFCTEUgRk9SIEFOWSBESVJFQ1QsIElORElSRUNULAogKiBJTkNJREVOVEFMLCBTUEVDSUFMLCBFWEVNUExBUlksIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQKICogTk9UIExJTUlURUQgVE8sIFBST0NVUkVNRU5UIE9GIFNVQlNUSVRVVEUgR09PRFMgT1IgU0VSVklDRVM7IExPU1MgT0YgVVNFLAogKiBEQVRBLCBPUiBQUk9GSVRTOyBPUiBCVVNJTkVTUyBJTlRFUlJVUFRJT04pIEhPV0VWRVIgQ0FVU0VEIEFORCBPTiBBTlkKICogVEhFT1JZIE9GIExJQUJJTElUWSwgV0hFVEhFUiBJTiBDT05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVAogKiAoSU5DTFVESU5HIE5FR0xJR0VOQ0UgT1IgT1RIRVJXSVNFKSBBUklTSU5HIElOIEFOWSBXQVkgT1VUIE9GIFRIRSBVU0UgT0YKICogVEhJUyBTT0ZUV0FSRSwgRVZFTiBJRiBBRFZJU0VEIE9GIFRIRSBQT1NTSUJJTElUWSBPRiBTVUNIIERBTUFHRS4KKi8=" + } + } + } + ], + "copyright": [ + { + "text": "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." + } + ] + } + }, + { + "type": "library", + "name": "Apache Commons Lang", + "copyright": "NOASSERTION", + "externalReferences": [ + { + "url": "NOASSERTION", + "type": "distribution" + }, + { + "url": "http://commons.apache.org/proper/commons-lang/", + "type": "website" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-fromDoap-1" + }, + { + "name": "spdx:files-analyzed", + "value": "false" + }, + { + "name": "spdx:license-concluded", + "value": "NOASSERTION" + }, + { + "name": "spdx:license-declared", + "value": "NOASSERTION" + }, + { + "name": "spdx:download-location", + "value": "NOASSERTION" + }, + { + "name": "spdx:homepage", + "value": "http://commons.apache.org/proper/commons-lang/" + } + ] + }, + { + "type": "application", + "name": "Jena", + "version": "3.12.0", + "copyright": "NOASSERTION", + "externalReferences": [ + { + "url": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", + "type": "distribution" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-fromDoap-0" + }, + { + "name": "spdx:files-analyzed", + "value": "false" + }, + { + "name": "spdx:license-concluded", + "value": "NOASSERTION" + }, + { + "name": "spdx:license-declared", + "value": "NOASSERTION" + }, + { + "name": "spdx:external-reference:package-manager:purl", + "value": "pkg:maven/org.apache.jena/apache-jena@3.12.0" + }, + { + "name": "spdx:download-location", + "value": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz" + } + ] + }, + { + "type": "library", + "name": "Saxon", + "version": "8.8", + "description": "The Saxon package is a collection of tools for processing XML documents.", + "hashes": [ + { + "alg": "SHA-1", + "content": "85ed0817af83a24ad8da68c2b5094de69833983c" + } + ], + "licenses": [ + { + "expression": "MPL-1.0" + } + ], + "copyright": "Copyright Saxonica Ltd", + "externalReferences": [ + { + "url": "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download", + "type": "distribution" + }, + { + "url": "http://saxon.sourceforge.net/", + "type": "website" + } + ], + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-Saxon" + }, + { + "name": "spdx:files-analyzed", + "value": "false" + }, + { + "name": "spdx:license-comments", + "value": "Other versions available for a commercial license" + }, + { + "name": "spdx:license-concluded", + "value": "MPL-1.0" + }, + { + "name": "spdx:package:file-name", + "value": "saxonB-8.8.zip" + }, + { + "name": "spdx:download-location", + "value": "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download" + }, + { + "name": "spdx:homepage", + "value": "http://saxon.sourceforge.net/" + } + ] + }, + { + "type": "file", + "name": "./src/org/spdx/parser/DOAPProject.java", + "hashes": [ + { + "alg": "SHA-1", + "content": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" + } + ], + "copyright": "Copyright 2010, 2011 Source Auditor Inc.", + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-DoapSource" + }, + { + "name": "spdx:file:type", + "value": "7" + }, + { + "name": "spdx:license-concluded", + "value": "Apache-2.0" + }, + { + "name": "spdx:file:contributor", + "value": "Protecode Inc." + }, + { + "name": "spdx:file:contributor", + "value": "SPDX Technical Team Members" + }, + { + "name": "spdx:file:contributor", + "value": "Open Logic Inc." + }, + { + "name": "spdx:file:contributor", + "value": "Source Auditor Inc." + }, + { + "name": "spdx:file:contributor", + "value": "Black Duck Software In.c" + } + ] + }, + { + "type": "file", + "name": "./lib-source/commons-lang3-3.1-sources.jar", + "hashes": [ + { + "alg": "SHA-1", + "content": "c2b4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "copyright": "Copyright 2001-2011 The Apache Software Foundation", + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-CommonsLangSrc" + }, + { + "name": "spdx:comment", + "value": "This file is used by Jena" + }, + { + "name": "spdx:file:type", + "value": "4" + }, + { + "name": "spdx:license-concluded", + "value": "Apache-2.0" + }, + { + "name": "spdx:file:contributor", + "value": "Apache Software Foundation" + }, + { + "name": "spdx:file:notice-text", + "value": "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())" + } + ] + }, + { + "type": "file", + "name": "./lib-source/jena-2.6.3-sources.jar", + "hashes": [ + { + "alg": "SHA-1", + "content": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "copyright": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-JenaLib" + }, + { + "name": "spdx:comment", + "value": "This file belongs to Jena" + }, + { + "name": "spdx:file:type", + "value": "4" + }, + { + "name": "spdx:license-comments", + "value": "This license is used by Jena" + }, + { + "name": "spdx:license-concluded", + "value": "LicenseRef-1" + }, + { + "name": "spdx:file:contributor", + "value": "Apache Software Foundation" + }, + { + "name": "spdx:file:contributor", + "value": "Hewlett Packard Inc." + } + ] + }, + { + "type": "file", + "name": "./package/foo.c", + "hashes": [ + { + "alg": "SHA-1", + "content": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + { + "alg": "MD5", + "content": "624c1abb3664f4b35547e7c73864ad24" + } + ], + "copyright": "Copyright 2008-2010 John Smith", + "properties": [ + { + "name": "spdx:spdxid", + "value": "SPDXRef-File" + }, + { + "name": "spdx:comment", + "value": "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory." + }, + { + "name": "spdx:file:type", + "value": "7" + }, + { + "name": "spdx:annotation", + "value": "{\u0022AnnotationDate\u0022:\u00222011-01-29T18:30:22Z\u0022,\u0022AnnotationType\u0022:0,\u0022Annotator\u0022:\u0022Person: File Commenter\u0022,\u0022Comment\u0022:\u0022File level annotation\u0022}" + }, + { + "name": "spdx:license-comments", + "value": "The concluded license was taken from the package level that the file was included in." + }, + { + "name": "spdx:license-concluded", + "value": "(LGPL-2.0-only OR LicenseRef-2)" + }, + { + "name": "spdx:file:contributor", + "value": "The Regents of the University of California" + }, + { + "name": "spdx:file:contributor", + "value": "Modified by Paul Mundt lethal@linux-sh.org" + }, + { + "name": "spdx:file:contributor", + "value": "IBM Corporation" + }, + { + "name": "spdx:file:notice-text", + "value": "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \uFFFDSoftware\uFFFD), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \uFFFDAS IS\u0027, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + } + ] + } + ] +} diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXToSpdxRoundTripTest_document.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXToSpdxRoundTripTest_v2.2document.snap similarity index 95% rename from tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXToSpdxRoundTripTest_document.snap rename to tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXToSpdxRoundTripTest_v2.2document.snap index 5c9eb096..56e946fe 100644 --- a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXToSpdxRoundTripTest_document.snap +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXToSpdxRoundTripTest_v2.2document.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.", "created": "2010-01-29T18:30:22Z", @@ -54,11 +54,11 @@ "comment": "Another example reviewer." } ], - "documentNamespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", "documentDescribes": [ "SPDXRef-File", "SPDXRef-Package" ], + "documentNamespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", "packages": [ { "SPDXID": "SPDXRef-Package", @@ -122,6 +122,7 @@ ], "packageVerificationCodeValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" }, + "primaryPackagePurpose": "LIBRARY", "sourceInfo": "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.", "summary": "GNU C library.", "supplier": "Person: Jane Doe (jane.doe@example.com)", @@ -129,22 +130,14 @@ }, { "SPDXID": "SPDXRef-fromDoap-1", - "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "homepage": "http://commons.apache.org/proper/commons-lang/", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "Apache Commons Lang", - "originator": "NOASSERTION", - "supplier": "NOASSERTION" + "primaryPackagePurpose": "LIBRARY" }, { "SPDXID": "SPDXRef-fromDoap-0", - "copyrightText": "NOASSERTION", "downloadLocation": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", "externalRefs": [ { @@ -155,14 +148,8 @@ ], "filesAnalyzed": false, "homepage": "http://www.openjena.org/", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "Jena", - "originator": "NOASSERTION", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "3.12.0" }, { @@ -181,13 +168,9 @@ "licenseComments": "Other versions available for a commercial license", "licenseConcluded": "MPL-1.0", "licenseDeclared": "MPL-1.0", - "licenseInfoFromFiles": [ - "NOASSERTION" - ], "name": "Saxon", - "originator": "NOASSERTION", "packageFileName": "saxonB-8.8.zip", - "supplier": "NOASSERTION", + "primaryPackagePurpose": "LIBRARY", "versionInfo": "8.8" } ], diff --git a/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXToSpdxRoundTripTest_v2.3document.snap b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXToSpdxRoundTripTest_v2.3document.snap new file mode 100644 index 00000000..3cf2ea77 --- /dev/null +++ b/tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXToSpdxRoundTripTest_v2.3document.snap @@ -0,0 +1,279 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "comment": "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.", + "created": "2010-01-29T18:30:22Z", + "creators": [ + "Tool: LicenseFind-1.0", + "Organization: ExampleCodeInspect ()", + "Person: Jane Doe ()" + ], + "licenseListVersion": "3.9" + }, + "name": "SPDX-Tools-v2.0", + "dataLicense": "CC0-1.0", + "comment": "This document was created using CycloneDX.Spdx 2.0 using licenses from the web site.", + "externalDocumentRefs": [ + { + "externalDocumentId": "DocumentRef-spdx-tool-1.2", + "checksum": { + "algorithm": "SHA1", + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759" + }, + "spdxDocument": "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301" + } + ], + "hasExtractedLicensingInfos": [ + { + "licenseId": "LicenseRef-1", + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\uFFFD Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR \u0060\u0060AS IS\u0027\u0027 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + }, + { + "licenseId": "LicenseRef-2", + "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR \u0060\u0060AS IS\u0027\u0027 AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + } + ], + "annotations": [ + { + "annotationDate": "2010-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: Jane Doe ()", + "comment": "Document level annotation" + }, + { + "annotationDate": "2010-02-10T00:00:00Z", + "annotationType": "REVIEW", + "annotator": "Person: Joe Reviewer", + "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses" + }, + { + "annotationDate": "2011-03-13T00:00:00Z", + "annotationType": "REVIEW", + "annotator": "Person: Suzanne Reviewer", + "comment": "Another example reviewer." + } + ], + "documentDescribes": [ + "SPDXRef-File", + "SPDXRef-Package" + ], + "documentNamespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "annotations": [ + { + "annotationDate": "2011-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: Package Commenter", + "comment": "Package level annotation" + } + ], + "attributionTexts": [ + "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." + ], + "builtDate": "2011-01-29T18:30:22Z", + "checksums": [ + { + "algorithm": "BLAKE2b_512", + "checksumValue": "624c1abb3664f4b35547e7c73864ad24" + }, + { + "algorithm": "SHA256", + "checksumValue": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + }, + { + "algorithm": "ADLER32", + "checksumValue": "85ed0817af83a24ad8da68c2b5094de69833983c" + } + ], + "copyrightText": "Copyright 2008-2010 John Smith", + "description": "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.", + "downloadLocation": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "comment": "This is the external ref for Acme", + "referenceCategory": "PERSISTENT_ID", + "referenceLocator": "acmecorp/acmenator/4.1.3-alpha", + "referenceType": "swh" + } + ], + "filesAnalyzed": true, + "homepage": "http://ftp.gnu.org/gnu/glibc", + "licenseComments": "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.", + "licenseConcluded": "(LGPL-2.0-only OR LicenseRef-3)", + "licenseDeclared": "(LGPL-2.0-only AND LicenseRef-3)", + "licenseInfoFromFiles": [ + "GPL-2.0-only", + "LicenseRef-1", + "LicenseRef-2" + ], + "name": "glibc", + "originator": "Organization: ExampleCodeInspect (contact@example.com)", + "packageFileName": "glibc-2.11.1.tar.gz", + "packageVerificationCode": { + "packageVerificationCodeExcludedFiles": [ + "./package.spdx" + ], + "packageVerificationCodeValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + "primaryPackagePurpose": "FRAMEWORK", + "releaseDate": "2012-01-29T18:30:22Z", + "sourceInfo": "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.", + "summary": "GNU C library.", + "supplier": "Person: Jane Doe (jane.doe@example.com)", + "validUntilDate": "2014-01-29T18:30:22Z", + "versionInfo": "2.11.1" + }, + { + "SPDXID": "SPDXRef-fromDoap-1", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "homepage": "http://commons.apache.org/proper/commons-lang/", + "name": "Apache Commons Lang", + "primaryPackagePurpose": "LIBRARY" + }, + { + "SPDXID": "SPDXRef-fromDoap-0", + "downloadLocation": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceLocator": "pkg:maven/org.apache.jena/apache-jena@3.12.0", + "referenceType": "purl" + } + ], + "filesAnalyzed": false, + "name": "Jena", + "primaryPackagePurpose": "APPLICATION", + "versionInfo": "3.12.0" + }, + { + "SPDXID": "SPDXRef-Saxon", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "85ed0817af83a24ad8da68c2b5094de69833983c" + } + ], + "copyrightText": "Copyright Saxonica Ltd", + "description": "The Saxon package is a collection of tools for processing XML documents.", + "downloadLocation": "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download", + "filesAnalyzed": false, + "homepage": "http://saxon.sourceforge.net/", + "licenseComments": "Other versions available for a commercial license", + "licenseConcluded": "MPL-1.0", + "licenseDeclared": "MPL-1.0", + "name": "Saxon", + "packageFileName": "saxonB-8.8.zip", + "primaryPackagePurpose": "LIBRARY", + "versionInfo": "8.8" + } + ], + "files": [ + { + "SPDXID": "SPDXRef-DoapSource", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" + } + ], + "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", + "fileContributors": [ + "Protecode Inc.", + "SPDX Technical Team Members", + "Open Logic Inc.", + "Source Auditor Inc.", + "Black Duck Software In.c" + ], + "fileName": "./src/org/spdx/parser/DOAPProject.java", + "fileTypes": [ + "SOURCE" + ], + "licenseConcluded": "Apache-2.0" + }, + { + "SPDXID": "SPDXRef-CommonsLangSrc", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "c2b4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "This file is used by Jena", + "copyrightText": "Copyright 2001-2011 The Apache Software Foundation", + "fileContributors": [ + "Apache Software Foundation" + ], + "fileName": "./lib-source/commons-lang3-3.1-sources.jar", + "fileTypes": [ + "ARCHIVE" + ], + "licenseConcluded": "Apache-2.0", + "noticeText": "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())" + }, + { + "SPDXID": "SPDXRef-JenaLib", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "This file belongs to Jena", + "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "fileContributors": [ + "Apache Software Foundation", + "Hewlett Packard Inc." + ], + "fileName": "./lib-source/jena-2.6.3-sources.jar", + "fileTypes": [ + "ARCHIVE" + ], + "licenseComments": "This license is used by Jena", + "licenseConcluded": "LicenseRef-1" + }, + { + "SPDXID": "SPDXRef-File", + "annotations": [ + { + "annotationDate": "2011-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: File Commenter", + "comment": "File level annotation" + } + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + { + "algorithm": "MD5", + "checksumValue": "624c1abb3664f4b35547e7c73864ad24" + } + ], + "comment": "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.", + "copyrightText": "Copyright 2008-2010 John Smith", + "fileContributors": [ + "The Regents of the University of California", + "Modified by Paul Mundt lethal@linux-sh.org", + "IBM Corporation" + ], + "fileName": "./package/foo.c", + "fileTypes": [ + "SOURCE" + ], + "licenseComments": "The concluded license was taken from the package level that the file was included in.", + "licenseConcluded": "(LGPL-2.0-only OR LicenseRef-2)", + "noticeText": "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \uFFFDSoftware\uFFFD), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \uFFFDAS IS\u0027, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + } + ] +} diff --git a/tests/CycloneDX.Spdx.Tests/CycloneDX.Spdx.Tests.csproj b/tests/CycloneDX.Spdx.Tests/CycloneDX.Spdx.Tests.csproj index 6a055336..13567274 100644 --- a/tests/CycloneDX.Spdx.Tests/CycloneDX.Spdx.Tests.csproj +++ b/tests/CycloneDX.Spdx.Tests/CycloneDX.Spdx.Tests.csproj @@ -26,11 +26,38 @@ - + + + + + + + + Always + + + + + + + + + + + Always + + + + + + Always + + + diff --git a/tests/CycloneDX.Spdx.Tests/JsonSerializerTests.cs b/tests/CycloneDX.Spdx.Tests/JsonSerializerTests.cs index e99bce51..86ae6b5d 100644 --- a/tests/CycloneDX.Spdx.Tests/JsonSerializerTests.cs +++ b/tests/CycloneDX.Spdx.Tests/JsonSerializerTests.cs @@ -31,7 +31,7 @@ public class JsonSerializerTests [InlineData("document")] public void JsonRoundTripTest(string baseFilename) { - var resourceFilename = Path.Join("Resources", "v2.2", baseFilename + ".json"); + var resourceFilename = Path.Join("Resources", "v2.3", baseFilename + ".json"); var document = File.ReadAllText(resourceFilename); var spdxDocument = JsonSerializer.Deserialize(document); @@ -44,7 +44,7 @@ public void JsonRoundTripTest(string baseFilename) [InlineData("document")] public async Task JsonAsyncRoundTripTest(string baseFilename) { - var resourceFilename = Path.Join("Resources", "v2.2", baseFilename + ".json"); + var resourceFilename = Path.Join("Resources", "v2.3", baseFilename + ".json"); using (var jsonStream = File.OpenRead(resourceFilename)) using (var outputStream = new MemoryStream()) @@ -52,7 +52,7 @@ public async Task JsonAsyncRoundTripTest(string baseFilename) var spdxDocument = await JsonSerializer.DeserializeAsync(jsonStream); await JsonSerializer.SerializeAsync(spdxDocument, outputStream); var result = System.Text.Encoding.UTF8.GetString(outputStream.ToArray()); - Snapshot.Match(result, SnapshotNameExtension.Create(baseFilename)); + Snapshot.Match(result, SnapshotNameExtension.Create(baseFilename)); } } } diff --git a/tests/CycloneDX.Spdx.Tests/JsonValidatorTests.cs b/tests/CycloneDX.Spdx.Tests/JsonValidatorTests.cs index e3778265..1755111c 100644 --- a/tests/CycloneDX.Spdx.Tests/JsonValidatorTests.cs +++ b/tests/CycloneDX.Spdx.Tests/JsonValidatorTests.cs @@ -28,10 +28,11 @@ namespace CycloneDX.Spdx.Tests public class JsonValidatorTests { [Theory] - [InlineData("document")] - public void ValidateJsonStringTest(string baseFilename) + [InlineData("v2.2")] + [InlineData("v2.3")] + public void ValidateJsonStringTest(string version) { - var resourceFilename = Path.Join("Resources", "v2.2", baseFilename + ".json"); + var resourceFilename = Path.Join("Resources", version, "document" + ".json"); var document = File.ReadAllText(resourceFilename); var result = JsonValidator.Validate(document); @@ -40,10 +41,11 @@ public void ValidateJsonStringTest(string baseFilename) } [Theory] - [InlineData("document")] - public async Task ValidateJsonStreamTest(string baseFilename) + [InlineData("v2.2")] + [InlineData("v2.3")] + public async Task ValidateJsonStreamTest(string version) { - var resourceFilename = Path.Join("Resources", "v2.2", baseFilename + ".json"); + var resourceFilename = Path.Join("Resources", version, "document" + ".json"); using (var jsonStream = File.OpenRead(resourceFilename)) { var validationResult = await JsonValidator.ValidateAsync(jsonStream).ConfigureAwait(false); @@ -51,5 +53,20 @@ public async Task ValidateJsonStreamTest(string baseFilename) Assert.True(validationResult.Valid); } } + + [Fact] + public async Task ValidateInvalidPrimaryPackagePurpose() + { + var resourceFilename = Path.Join("Resources", "v2.3", "invalidPrimaryPackagePurpose" + ".json"); + using (var jsonStream = File.OpenRead(resourceFilename)) + { + var validationResult = await JsonValidator.ValidateAsync(jsonStream).ConfigureAwait(false); + + Assert.False(validationResult.Valid); + } + } + + + } } diff --git a/tests/CycloneDX.Spdx.Tests/Resources/v2.3/document.json b/tests/CycloneDX.Spdx.Tests/Resources/v2.3/document.json new file mode 100644 index 00000000..de9a3094 --- /dev/null +++ b/tests/CycloneDX.Spdx.Tests/Resources/v2.3/document.json @@ -0,0 +1,353 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "comment": "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.", + "created": "2010-01-29T18:30:22Z", + "creators": [ "Tool: LicenseFind-1.0", "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ], + "licenseListVersion": "3.17" + }, + "name": "SPDX-Tools-v2.0", + "dataLicense": "CC0-1.0", + "comment": "This document was created using SPDX 2.0 using licenses from the web site.", + "externalDocumentRefs": [ + { + "externalDocumentId": "DocumentRef-spdx-tool-1.2", + "checksum": { + "algorithm": "SHA1", + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759" + }, + "spdxDocument": "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301" + } + ], + "hasExtractedLicensingInfos": [ + { + "licenseId": "LicenseRef-1", + "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + }, + { + "licenseId": "LicenseRef-2", + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n© Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + }, + { + "licenseId": "LicenseRef-4", + "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + }, + { + "licenseId": "LicenseRef-Beerware-4.2", + "comment": "The beerware license has a couple of other standard variants.", + "extractedText": "\"THE BEER-WARE LICENSE\" (Revision 42):\nphk@FreeBSD.ORG wrote this file. As long as you retain this notice you\ncan do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp", + "name": "Beer-Ware License (Version 42)", + "seeAlsos": [ "http://people.freebsd.org/~phk/" ] + }, + { + "licenseId": "LicenseRef-3", + "comment": "This is tye CyperNeko License", + "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "name": "CyberNeko License", + "seeAlsos": [ "http://people.apache.org/~andyc/neko/LICENSE", "http://justasample.url.com" ] + } + ], + "annotations": [ + { + "annotationDate": "2010-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: Jane Doe ()", + "comment": "Document level annotation" + }, + { + "annotationDate": "2010-02-10T00:00:00Z", + "annotationType": "REVIEW", + "annotator": "Person: Joe Reviewer", + "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses" + }, + { + "annotationDate": "2011-03-13T00:00:00Z", + "annotationType": "REVIEW", + "annotator": "Person: Suzanne Reviewer", + "comment": "Another example reviewer." + } + ], + "documentDescribes": [ "SPDXRef-File", "SPDXRef-Package" ], + "documentNamespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "annotations": [ + { + "annotationDate": "2011-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: Package Commenter", + "comment": "Package level annotation" + } + ], + "attributionTexts": [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ], + "builtDate": "2011-01-29T18:30:22Z", + "checksums": [ + { + "algorithm": "MD5", + "checksumValue": "624c1abb3664f4b35547e7c73864ad24" + }, + { + "algorithm": "SHA1", + "checksumValue": "85ed0817af83a24ad8da68c2b5094de69833983c" + }, + { + "algorithm": "SHA256", + "checksumValue": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + }, + { + "algorithm": "BLAKE2b_384", + "checksumValue": "aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706" + } + ], + "copyrightText": "Copyright 2008-2010 John Smith", + "description": "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.", + "downloadLocation": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "comment": "This is the external ref for Acme", + "referenceCategory": "PERSISTENT_ID", + "referenceLocator": "acmecorp/acmenator/4.1.3-alpha", + "referenceType": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge" + } + ], + "filesAnalyzed": true, + "homepage": "http://ftp.gnu.org/gnu/glibc", + "licenseComments": "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.", + "licenseConcluded": "(LGPL-2.0-only OR LicenseRef-3)", + "licenseDeclared": "(LGPL-2.0-only AND LicenseRef-3)", + "licenseInfoFromFiles": [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ], + "name": "glibc", + "originator": "Organization: ExampleCodeInspect (contact@example.com)", + "packageFileName": "glibc-2.11.1.tar.gz", + "packageVerificationCode": { + "packageVerificationCodeExcludedFiles": [ "./package.spdx" ], + "packageVerificationCodeValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + "primaryPackagePurpose": "SOURCE", + "hasFiles": [ "SPDXRef-Specification", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource" ], + "releaseDate": "2012-01-29T18:30:22Z", + "sourceInfo": "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.", + "summary": "GNU C library.", + "supplier": "Person: Jane Doe (jane.doe@example.com)", + "validUntilDate": "2014-01-29T18:30:22Z", + "versionInfo": "2.11.1" + }, + { + "SPDXID": "SPDXRef-fromDoap-1", + "copyrightText": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "homepage": "http://commons.apache.org/proper/commons-lang/", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "Apache Commons Lang" + }, + { + "SPDXID": "SPDXRef-fromDoap-0", + "downloadLocation": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceLocator": "pkg:maven/org.apache.jena/apache-jena@3.12.0", + "referenceType": "purl" + } + ], + "filesAnalyzed": false, + "homepage": "http://www.openjena.org/", + "name": "Jena", + "primaryPackagePurpose": "APPLICATION", + "versionInfo": "3.12.0" + }, + { + "SPDXID": "SPDXRef-Saxon", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "85ed0817af83a24ad8da68c2b5094de69833983c" + } + ], + "copyrightText": "Copyright Saxonica Ltd", + "description": "The Saxon package is a collection of tools for processing XML documents.", + "downloadLocation": "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download", + "filesAnalyzed": false, + "homepage": "http://saxon.sourceforge.net/", + "licenseComments": "Other versions available for a commercial license", + "licenseConcluded": "MPL-1.0", + "licenseDeclared": "MPL-1.0", + "name": "Saxon", + "packageFileName": "saxonB-8.8.zip", + "versionInfo": "8.8" + } + ], + "files": [ + { + "SPDXID": "SPDXRef-DoapSource", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" + } + ], + "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", + "fileContributors": [ "Protecode Inc.", "SPDX Technical Team Members", "Open Logic Inc.", "Source Auditor Inc.", "Black Duck Software In.c" ], + "fileName": "./src/org/spdx/parser/DOAPProject.java", + "fileTypes": [ "SOURCE" ], + "licenseConcluded": "Apache-2.0", + "licenseInfoInFiles": [ "Apache-2.0" ] + }, + { + "SPDXID": "SPDXRef-CommonsLangSrc", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "c2b4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "This file is used by Jena", + "copyrightText": "Copyright 2001-2011 The Apache Software Foundation", + "fileContributors": [ "Apache Software Foundation" ], + "fileName": "./lib-source/commons-lang3-3.1-sources.jar", + "fileTypes": [ "ARCHIVE" ], + "licenseConcluded": "Apache-2.0", + "licenseInfoInFiles": [ "Apache-2.0" ], + "noticeText": "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())" + }, + { + "SPDXID": "SPDXRef-JenaLib", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "This file belongs to Jena", + "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "fileContributors": [ "Apache Software Foundation", "Hewlett Packard Inc." ], + "fileName": "./lib-source/jena-2.6.3-sources.jar", + "fileTypes": [ "ARCHIVE" ], + "licenseComments": "This license is used by Jena", + "licenseConcluded": "LicenseRef-1", + "licenseInfoInFiles": [ "LicenseRef-1" ] + }, + { + "SPDXID": "SPDXRef-Specification", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "fff4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "Specification Documentation", + "fileName": "./docs/myspec.pdf", + "fileTypes": [ "DOCUMENTATION" ] + }, + { + "SPDXID": "SPDXRef-File", + "annotations": [ + { + "annotationDate": "2011-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: File Commenter", + "comment": "File level annotation" + } + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + { + "algorithm": "MD5", + "checksumValue": "624c1abb3664f4b35547e7c73864ad24" + } + ], + "comment": "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.", + "copyrightText": "Copyright 2008-2010 John Smith", + "fileContributors": [ "The Regents of the University of California", "Modified by Paul Mundt lethal@linux-sh.org", "IBM Corporation" ], + "fileName": "./package/foo.c", + "fileTypes": [ "SOURCE" ], + "licenseComments": "The concluded license was taken from the package level that the file was included in.", + "licenseConcluded": "(LGPL-2.0-only OR LicenseRef-2)", + "licenseInfoInFiles": [ "GPL-2.0-only", "LicenseRef-2" ], + "noticeText": "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + } + ], + "snippets": [ + { + "SPDXID": "SPDXRef-Snippet", + "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.", + "copyrightText": "Copyright 2008-2010 John Smith", + "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", + "licenseConcluded": "GPL-2.0-only", + "licenseInfoInSnippets": [ "GPL-2.0-only" ], + "name": "from linux kernel", + "ranges": [ + { + "endPointer": { + "offset": 420, + "reference": "SPDXRef-DoapSource" + }, + "startPointer": { + "offset": 310, + "reference": "SPDXRef-DoapSource" + } + }, + { + "endPointer": { + "lineNumber": 23, + "reference": "SPDXRef-DoapSource" + }, + "startPointer": { + "lineNumber": 5, + "reference": "SPDXRef-DoapSource" + } + } + ], + "snippetFromFile": "SPDXRef-DoapSource" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "COPY_OF", + "relatedSpdxElement": "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement" + }, + { + "spdxElementId": "SPDXRef-Package", + "relationshipType": "DYNAMIC_LINK", + "relatedSpdxElement": "SPDXRef-Saxon" + }, + { + "spdxElementId": "SPDXRef-CommonsLangSrc", + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "NOASSERTION" + }, + { + "spdxElementId": "SPDXRef-JenaLib", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package" + }, + { + "spdxElementId": "SPDXRef-Specification", + "relationshipType": "SPECIFICATION_FOR", + "relatedSpdxElement": "SPDXRef-fromDoap-0" + }, + { + "spdxElementId": "SPDXRef-File", + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "SPDXRef-fromDoap-0" + } + ] +} \ No newline at end of file diff --git a/tests/CycloneDX.Spdx.Tests/Resources/v2.3/document.xml b/tests/CycloneDX.Spdx.Tests/Resources/v2.3/document.xml new file mode 100644 index 00000000..05d1aadd --- /dev/null +++ b/tests/CycloneDX.Spdx.Tests/Resources/v2.3/document.xml @@ -0,0 +1,477 @@ + + + SPDXRef-DOCUMENT + SPDX-2.3 + + + This package has been shipped in source and binary form. + The binaries were created with gcc 4.5.1 and expect to link to + compatible system run time libraries. + + 2010-01-29T18:30:22Z + Tool: LicenseFind-1.0 + Organization: ExampleCodeInspect () + Person: Jane Doe () + 3.17 + + SPDX-Tools-v2.0 + CC0-1.0 + This document was created using SPDX 2.0 using licenses from the web site. + + DocumentRef-spdx-tool-1.2 + + SHA1 + d6a770ba38583ed4bb4525bd96e50461655d2759 + + http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301 + + + LicenseRef-1 + + /* + * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + + + + LicenseRef-2 + + This package includes the GRDDL parser developed by Hewlett Packard under the following license: + © Copyright 2007 Hewlett-Packard Development Company, LP + + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + + Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. + Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. + The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. + THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + + + LicenseRef-4 + + /* + * (c) Copyright 2009 University of Bristol + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + + + + LicenseRef-Beerware-4.2 + The beerware license has a couple of other standard variants. + + "THE BEER-WARE LICENSE" (Revision 42): + phk@FreeBSD.ORG wrote this file. As long as you retain this notice you + can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp + + Beer-Ware License (Version 42) + http://people.freebsd.org/~phk/ + + + LicenseRef-3 + This is tye CyperNeko License + + The CyberNeko Software License, Version 1.0 + + + (C) Copyright 2002-2005, Andy Clark. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + + 3. The end-user documentation included with the redistribution, + if any, must include the following acknowledgment: + "This product includes software developed by Andy Clark." + Alternately, this acknowledgment may appear in the software itself, + if and wherever such third-party acknowledgments normally appear. + + 4. The names "CyberNeko" and "NekoHTML" must not be used to endorse + or promote products derived from this software without prior + written permission. For written permission, please contact + andyc@cyberneko.net. + + 5. Products derived from this software may not be called "CyberNeko", + nor may "CyberNeko" appear in their name, without prior written + permission of the author. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS + BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + CyberNeko License + http://people.apache.org/~andyc/neko/LICENSE + http://justasample.url.com + + + 2010-01-29T18:30:22Z + OTHER + Person: Jane Doe () + Document level annotation + + + 2010-02-10T00:00:00Z + REVIEW + Person: Joe Reviewer + This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses + + + 2011-03-13T00:00:00Z + REVIEW + Person: Suzanne Reviewer + Another example reviewer. + + SPDXRef-File + SPDXRef-Package + http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 + + SPDXRef-Package + + 2011-01-29T18:30:22Z + OTHER + Person: Package Commenter + Package level annotation + + The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. + 2011-01-29T18:30:22Z + + MD5 + 624c1abb3664f4b35547e7c73864ad24 + + + SHA1 + 85ed0817af83a24ad8da68c2b5094de69833983c + + + SHA256 + 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd + + + BLAKE2b-384 + aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 + + Copyright 2008-2010 John Smith + The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems. + http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz + + SECURITY + cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:* + cpe23Type + + + This is the external ref for Acme + PERSISTENT-ID + acmecorp/acmenator/4.1.3-alpha + http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge + + true + http://ftp.gnu.org/gnu/glibc + The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change. + (LGPL-2.0-only OR LicenseRef-3) + (LGPL-2.0-only AND LicenseRef-3) + GPL-2.0-only + LicenseRef-2 + LicenseRef-1 + glibc + Organization: ExampleCodeInspect (contact@example.com) + glibc-2.11.1.tar.gz + + ./package.spdx + d6a770ba38583ed4bb4525bd96e50461655d2758 + + SOURCE + SPDXRef-Specification + SPDXRef-Specification + SPDXRef-CommonsLangSrc + SPDXRef-Specification + SPDXRef-CommonsLangSrc + SPDXRef-JenaLib + SPDXRef-Specification + SPDXRef-CommonsLangSrc + SPDXRef-JenaLib + SPDXRef-DoapSource + SPDXRef-Specification + SPDXRef-CommonsLangSrc + SPDXRef-JenaLib + SPDXRef-DoapSource + 2012-01-29T18:30:22Z + uses glibc-2_11-branch from git://sourceware.org/git/glibc.git. + GNU C library. + Person: Jane Doe (jane.doe@example.com) + 2014-01-29T18:30:22Z + 2.11.1 + + + SPDXRef-fromDoap-1 + NOASSERTION + NOASSERTION + false + http://commons.apache.org/proper/commons-lang/ + NOASSERTION + NOASSERTION + Apache Commons Lang + + + SPDXRef-fromDoap-0 + https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz + + PACKAGE-MANAGER + pkg:maven/org.apache.jena/apache-jena@3.12.0 + purl + + false + http://www.openjena.org/ + Jena + 3.12.0 + + + SPDXRef-Saxon + + SHA1 + 85ed0817af83a24ad8da68c2b5094de69833983c + + Copyright Saxonica Ltd + The Saxon package is a collection of tools for processing XML documents. + https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download + false + http://saxon.sourceforge.net/ + Other versions available for a commercial license + MPL-1.0 + MPL-1.0 + Saxon + saxonB-8.8.zip + 8.8 + + + SPDXRef-DoapSource + + SHA1 + 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + + Copyright 2010, 2011 Source Auditor Inc. + Protecode Inc. + SPDX Technical Team Members + Open Logic Inc. + Source Auditor Inc. + Black Duck Software In.c + ./src/org/spdx/parser/DOAPProject.java + SOURCE + Apache-2.0 + Apache-2.0 + + + SPDXRef-CommonsLangSrc + + SHA1 + c2b4e1c67a2d28fced849ee1bb76e7391b93f125 + + This file is used by Jena + Copyright 2001-2011 The Apache Software Foundation + Apache Software Foundation + ./lib-source/commons-lang3-3.1-sources.jar + ARCHIVE + Apache-2.0 + Apache-2.0 + + Apache Commons Lang + Copyright 2001-2011 The Apache Software Foundation + + This product includes software developed by + The Apache Software Foundation (http://www.apache.org/). + + This product includes software from the Spring Framework, + under the Apache License 2.0 (see: StringUtils.containsWhitespace()) + + + + SPDXRef-JenaLib + + SHA1 + 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 + + This file belongs to Jena + (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP + Apache Software Foundation + Hewlett Packard Inc. + ./lib-source/jena-2.6.3-sources.jar + ARCHIVE + This license is used by Jena + LicenseRef-1 + LicenseRef-1 + + + SPDXRef-Specification + + SHA1 + fff4e1c67a2d28fced849ee1bb76e7391b93f125 + + Specification Documentation + ./docs/myspec.pdf + DOCUMENTATION + + + SPDXRef-File + + 2011-01-29T18:30:22Z + OTHER + Person: File Commenter + File level annotation + + + SHA1 + d6a770ba38583ed4bb4525bd96e50461655d2758 + + + MD5 + 624c1abb3664f4b35547e7c73864ad24 + + + The concluded license was taken from the package level that the file was included in. + This information was found in the COPYING.txt file in the xyz directory. + + Copyright 2008-2010 John Smith + The Regents of the University of California + Modified by Paul Mundt lethal@linux-sh.org + IBM Corporation + ./package/foo.c + SOURCE + The concluded license was taken from the package level that the file was included in. + (LGPL-2.0-only OR LicenseRef-2) + GPL-2.0-only + LicenseRef-2 + + Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com + + Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + + + + SPDXRef-Snippet + This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0. + Copyright 2008-2010 John Smith + The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz. + GPL-2.0-only + GPL-2.0-only + from linux kernel + + + 420 + SPDXRef-DoapSource + + + 310 + SPDXRef-DoapSource + + + + + 23 + SPDXRef-DoapSource + + + 5 + SPDXRef-DoapSource + + + SPDXRef-DoapSource + + + SPDXRef-DOCUMENT + CONTAINS + SPDXRef-Package + + + SPDXRef-DOCUMENT + COPY_OF + DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement + + + SPDXRef-Package + DYNAMIC_LINK + SPDXRef-Saxon + + + SPDXRef-CommonsLangSrc + GENERATED_FROM + NOASSERTION + + + SPDXRef-JenaLib + CONTAINS + SPDXRef-Package + + + SPDXRef-Specification + SPECIFICATION_FOR + SPDXRef-fromDoap-0 + + + SPDXRef-File + GENERATED_FROM + SPDXRef-fromDoap-0 + + diff --git a/tests/CycloneDX.Spdx.Tests/Resources/v2.3/invalidPrimaryPackagePurpose.json b/tests/CycloneDX.Spdx.Tests/Resources/v2.3/invalidPrimaryPackagePurpose.json new file mode 100644 index 00000000..12e9b980 --- /dev/null +++ b/tests/CycloneDX.Spdx.Tests/Resources/v2.3/invalidPrimaryPackagePurpose.json @@ -0,0 +1,353 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "comment": "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.", + "created": "2010-01-29T18:30:22Z", + "creators": [ "Tool: LicenseFind-1.0", "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ], + "licenseListVersion": "3.17" + }, + "name": "SPDX-Tools-v2.0", + "dataLicense": "CC0-1.0", + "comment": "This document was created using SPDX 2.0 using licenses from the web site.", + "externalDocumentRefs": [ + { + "externalDocumentId": "DocumentRef-spdx-tool-1.2", + "checksum": { + "algorithm": "SHA1", + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759" + }, + "spdxDocument": "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301" + } + ], + "hasExtractedLicensingInfos": [ + { + "licenseId": "LicenseRef-1", + "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + }, + { + "licenseId": "LicenseRef-2", + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n(c) Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + }, + { + "licenseId": "LicenseRef-4", + "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + }, + { + "licenseId": "LicenseRef-Beerware-4.2", + "comment": "The beerware license has a couple of other standard variants.", + "extractedText": "\"THE BEER-WARE LICENSE\" (Revision 42):\nphk@FreeBSD.ORG wrote this file. As long as you retain this notice you\ncan do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp", + "name": "Beer-Ware License (Version 42)", + "seeAlsos": [ "http://people.freebsd.org/~phk/" ] + }, + { + "licenseId": "LicenseRef-3", + "comment": "This is tye CyperNeko License", + "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "name": "CyberNeko License", + "seeAlsos": [ "http://people.apache.org/~andyc/neko/LICENSE", "http://justasample.url.com" ] + } + ], + "annotations": [ + { + "annotationDate": "2010-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: Jane Doe ()", + "comment": "Document level annotation" + }, + { + "annotationDate": "2010-02-10T00:00:00Z", + "annotationType": "REVIEW", + "annotator": "Person: Joe Reviewer", + "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses" + }, + { + "annotationDate": "2011-03-13T00:00:00Z", + "annotationType": "REVIEW", + "annotator": "Person: Suzanne Reviewer", + "comment": "Another example reviewer." + } + ], + "documentDescribes": [ "SPDXRef-File", "SPDXRef-Package" ], + "documentNamespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "annotations": [ + { + "annotationDate": "2011-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: Package Commenter", + "comment": "Package level annotation" + } + ], + "attributionTexts": [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ], + "builtDate": "2011-01-29T18:30:22Z", + "checksums": [ + { + "algorithm": "MD5", + "checksumValue": "624c1abb3664f4b35547e7c73864ad24" + }, + { + "algorithm": "SHA1", + "checksumValue": "85ed0817af83a24ad8da68c2b5094de69833983c" + }, + { + "algorithm": "SHA256", + "checksumValue": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + }, + { + "algorithm": "BLAKE2b_384", + "checksumValue": "aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706" + } + ], + "copyrightText": "Copyright 2008-2010 John Smith", + "description": "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.", + "downloadLocation": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "comment": "This is the external ref for Acme", + "referenceCategory": "PERSISTENT_ID", + "referenceLocator": "acmecorp/acmenator/4.1.3-alpha", + "referenceType": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge" + } + ], + "filesAnalyzed": true, + "homepage": "http://ftp.gnu.org/gnu/glibc", + "licenseComments": "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.", + "licenseConcluded": "(LGPL-2.0-only OR LicenseRef-3)", + "licenseDeclared": "(LGPL-2.0-only AND LicenseRef-3)", + "licenseInfoFromFiles": [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ], + "name": "glibc", + "originator": "Organization: ExampleCodeInspect (contact@example.com)", + "packageFileName": "glibc-2.11.1.tar.gz", + "packageVerificationCode": { + "packageVerificationCodeExcludedFiles": [ "./package.spdx" ], + "packageVerificationCodeValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + "primaryPackagePurpose": "SOURCE", + "hasFiles": [ "SPDXRef-Specification", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource", "SPDXRef-Specification", "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource" ], + "releaseDate": "2012-01-29T18:30:22Z", + "sourceInfo": "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.", + "summary": "GNU C library.", + "supplier": "Person: Jane Doe (jane.doe@example.com)", + "validUntilDate": "2014-01-29T18:30:22Z", + "versionInfo": "2.11.1" + }, + { + "SPDXID": "SPDXRef-fromDoap-1", + "copyrightText": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "homepage": "http://commons.apache.org/proper/commons-lang/", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "Apache Commons Lang" + }, + { + "SPDXID": "SPDXRef-fromDoap-0", + "downloadLocation": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceLocator": "pkg:maven/org.apache.jena/apache-jena@3.12.0", + "referenceType": "purl" + } + ], + "filesAnalyzed": false, + "homepage": "http://www.openjena.org/", + "name": "Jena", + "primaryPackagePurpose": "SOMETHING", + "versionInfo": "3.12.0" + }, + { + "SPDXID": "SPDXRef-Saxon", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "85ed0817af83a24ad8da68c2b5094de69833983c" + } + ], + "copyrightText": "Copyright Saxonica Ltd", + "description": "The Saxon package is a collection of tools for processing XML documents.", + "downloadLocation": "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download", + "filesAnalyzed": false, + "homepage": "http://saxon.sourceforge.net/", + "licenseComments": "Other versions available for a commercial license", + "licenseConcluded": "MPL-1.0", + "licenseDeclared": "MPL-1.0", + "name": "Saxon", + "packageFileName": "saxonB-8.8.zip", + "versionInfo": "8.8" + } + ], + "files": [ + { + "SPDXID": "SPDXRef-DoapSource", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" + } + ], + "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", + "fileContributors": [ "Protecode Inc.", "SPDX Technical Team Members", "Open Logic Inc.", "Source Auditor Inc.", "Black Duck Software In.c" ], + "fileName": "./src/org/spdx/parser/DOAPProject.java", + "fileTypes": [ "SOURCE" ], + "licenseConcluded": "Apache-2.0", + "licenseInfoInFiles": [ "Apache-2.0" ] + }, + { + "SPDXID": "SPDXRef-CommonsLangSrc", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "c2b4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "This file is used by Jena", + "copyrightText": "Copyright 2001-2011 The Apache Software Foundation", + "fileContributors": [ "Apache Software Foundation" ], + "fileName": "./lib-source/commons-lang3-3.1-sources.jar", + "fileTypes": [ "ARCHIVE" ], + "licenseConcluded": "Apache-2.0", + "licenseInfoInFiles": [ "Apache-2.0" ], + "noticeText": "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())" + }, + { + "SPDXID": "SPDXRef-JenaLib", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "This file belongs to Jena", + "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "fileContributors": [ "Apache Software Foundation", "Hewlett Packard Inc." ], + "fileName": "./lib-source/jena-2.6.3-sources.jar", + "fileTypes": [ "ARCHIVE" ], + "licenseComments": "This license is used by Jena", + "licenseConcluded": "LicenseRef-1", + "licenseInfoInFiles": [ "LicenseRef-1" ] + }, + { + "SPDXID": "SPDXRef-Specification", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "fff4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "Specification Documentation", + "fileName": "./docs/myspec.pdf", + "fileTypes": [ "DOCUMENTATION" ] + }, + { + "SPDXID": "SPDXRef-File", + "annotations": [ + { + "annotationDate": "2011-01-29T18:30:22Z", + "annotationType": "OTHER", + "annotator": "Person: File Commenter", + "comment": "File level annotation" + } + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + { + "algorithm": "MD5", + "checksumValue": "624c1abb3664f4b35547e7c73864ad24" + } + ], + "comment": "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.", + "copyrightText": "Copyright 2008-2010 John Smith", + "fileContributors": [ "The Regents of the University of California", "Modified by Paul Mundt lethal@linux-sh.org", "IBM Corporation" ], + "fileName": "./package/foo.c", + "fileTypes": [ "SOURCE" ], + "licenseComments": "The concluded license was taken from the package level that the file was included in.", + "licenseConcluded": "(LGPL-2.0-only OR LicenseRef-2)", + "licenseInfoInFiles": [ "GPL-2.0-only", "LicenseRef-2" ], + "noticeText": "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + } + ], + "snippets": [ + { + "SPDXID": "SPDXRef-Snippet", + "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.", + "copyrightText": "Copyright 2008-2010 John Smith", + "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", + "licenseConcluded": "GPL-2.0-only", + "licenseInfoInSnippets": [ "GPL-2.0-only" ], + "name": "from linux kernel", + "ranges": [ + { + "endPointer": { + "offset": 420, + "reference": "SPDXRef-DoapSource" + }, + "startPointer": { + "offset": 310, + "reference": "SPDXRef-DoapSource" + } + }, + { + "endPointer": { + "lineNumber": 23, + "reference": "SPDXRef-DoapSource" + }, + "startPointer": { + "lineNumber": 5, + "reference": "SPDXRef-DoapSource" + } + } + ], + "snippetFromFile": "SPDXRef-DoapSource" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relationshipType": "COPY_OF", + "relatedSpdxElement": "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement" + }, + { + "spdxElementId": "SPDXRef-Package", + "relationshipType": "DYNAMIC_LINK", + "relatedSpdxElement": "SPDXRef-Saxon" + }, + { + "spdxElementId": "SPDXRef-CommonsLangSrc", + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "NOASSERTION" + }, + { + "spdxElementId": "SPDXRef-JenaLib", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package" + }, + { + "spdxElementId": "SPDXRef-Specification", + "relationshipType": "SPECIFICATION_FOR", + "relatedSpdxElement": "SPDXRef-fromDoap-0" + }, + { + "spdxElementId": "SPDXRef-File", + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "SPDXRef-fromDoap-0" + } + ] +} \ No newline at end of file diff --git a/tests/CycloneDX.Spdx.Tests/XmlSerializerTests.cs b/tests/CycloneDX.Spdx.Tests/XmlSerializerTests.cs index 49ef1010..6f936b9b 100644 --- a/tests/CycloneDX.Spdx.Tests/XmlSerializerTests.cs +++ b/tests/CycloneDX.Spdx.Tests/XmlSerializerTests.cs @@ -31,7 +31,7 @@ public class XmlSerializerTests [InlineData("document")] public void XmlRoundTripTest(string baseFilename) { - var resourceFilename = Path.Join("Resources", "v2.2", baseFilename + ".xml"); + var resourceFilename = Path.Join("Resources", "v2.3", baseFilename + ".xml"); var document = File.ReadAllText(resourceFilename); var spdxDocument = XmlSerializer.Deserialize(document); diff --git a/tests/CycloneDX.Spdx.Tests/XmlValidatorTests.cs b/tests/CycloneDX.Spdx.Tests/XmlValidatorTests.cs index 09f64a66..971a74b0 100644 --- a/tests/CycloneDX.Spdx.Tests/XmlValidatorTests.cs +++ b/tests/CycloneDX.Spdx.Tests/XmlValidatorTests.cs @@ -28,10 +28,11 @@ namespace CycloneDX.Spdx.Tests public class XmlValidatorTests { [Theory] - [InlineData("document")] - public void ValidateXmlStringTest(string baseFilename) + //[InlineData("v2.2")] + [InlineData("v2.3")] + public void ValidateXmlStringTest(string version) { - var resourceFilename = Path.Join("Resources", "v2.2", baseFilename + ".xml"); + var resourceFilename = Path.Join("Resources", version, "document" + ".xml"); var document = File.ReadAllText(resourceFilename); var result = XmlValidator.Validate(document); diff --git a/tests/CycloneDX.Spdx.Tests/__snapshots__/JsonSerializerTests.JsonAsyncRoundTripTest_document.snap b/tests/CycloneDX.Spdx.Tests/__snapshots__/JsonSerializerTests.JsonAsyncRoundTripTest_document.snap index eed099b8..70a28f65 100644 --- a/tests/CycloneDX.Spdx.Tests/__snapshots__/JsonSerializerTests.JsonAsyncRoundTripTest_document.snap +++ b/tests/CycloneDX.Spdx.Tests/__snapshots__/JsonSerializerTests.JsonAsyncRoundTripTest_document.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.", "created": "2010-01-29T18:30:22Z", @@ -9,11 +9,11 @@ "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ], - "licenseListVersion": "3.9" + "licenseListVersion": "3.17" }, "name": "SPDX-Tools-v2.0", "dataLicense": "CC0-1.0", - "comment": "This document was created using CycloneDX.Spdx 2.0 using licenses from the web site.", + "comment": "This document was created using SPDX 2.0 using licenses from the web site.", "externalDocumentRefs": [ { "externalDocumentId": "DocumentRef-spdx-tool-1.2", @@ -31,7 +31,7 @@ }, { "licenseId": "LicenseRef-2", - "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\uFFFD Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR \u0060\u0060AS IS\u0027\u0027 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00A9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR \u0060\u0060AS IS\u0027\u0027 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." }, { "licenseId": "LicenseRef-4", @@ -77,11 +77,11 @@ "comment": "Another example reviewer." } ], - "documentNamespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", "documentDescribes": [ "SPDXRef-File", "SPDXRef-Package" ], + "documentNamespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", "packages": [ { "SPDXID": "SPDXRef-Package", @@ -96,6 +96,7 @@ "attributionTexts": [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ], + "builtDate": "2011-01-29T18:30:22Z", "checksums": [ { "algorithm": "MD5", @@ -108,6 +109,10 @@ { "algorithm": "SHA256", "checksumValue": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + }, + { + "algorithm": "BLAKE2b_384", + "checksumValue": "aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706" } ], "copyrightText": "Copyright 2008-2010 John Smith", @@ -121,17 +126,12 @@ }, { "comment": "This is the external ref for Acme", - "referenceCategory": "OTHER", + "referenceCategory": "PERSISTENT_ID", "referenceLocator": "acmecorp/acmenator/4.1.3-alpha", "referenceType": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge" } ], "filesAnalyzed": true, - "hasFiles": [ - "SPDXRef-CommonsLangSrc", - "SPDXRef-JenaLib", - "SPDXRef-DoapSource" - ], "homepage": "http://ftp.gnu.org/gnu/glibc", "licenseComments": "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.", "licenseConcluded": "(LGPL-2.0-only OR LicenseRef-3)", @@ -150,9 +150,28 @@ ], "packageVerificationCodeValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" }, + "primaryPackagePurpose": "SOURCE", + "hasFiles": [ + "SPDXRef-Specification", + "SPDXRef-Specification", + "SPDXRef-CommonsLangSrc", + "SPDXRef-Specification", + "SPDXRef-CommonsLangSrc", + "SPDXRef-JenaLib", + "SPDXRef-Specification", + "SPDXRef-CommonsLangSrc", + "SPDXRef-JenaLib", + "SPDXRef-DoapSource", + "SPDXRef-Specification", + "SPDXRef-CommonsLangSrc", + "SPDXRef-JenaLib", + "SPDXRef-DoapSource" + ], + "releaseDate": "2012-01-29T18:30:22Z", "sourceInfo": "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.", "summary": "GNU C library.", "supplier": "Person: Jane Doe (jane.doe@example.com)", + "validUntilDate": "2014-01-29T18:30:22Z", "versionInfo": "2.11.1" }, { @@ -167,7 +186,6 @@ }, { "SPDXID": "SPDXRef-fromDoap-0", - "copyrightText": "NOASSERTION", "downloadLocation": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", "externalRefs": [ { @@ -178,9 +196,8 @@ ], "filesAnalyzed": false, "homepage": "http://www.openjena.org/", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", "name": "Jena", + "primaryPackagePurpose": "APPLICATION", "versionInfo": "3.12.0" }, { @@ -277,6 +294,20 @@ "LicenseRef-1" ] }, + { + "SPDXID": "SPDXRef-Specification", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "fff4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "Specification Documentation", + "fileName": "./docs/myspec.pdf", + "fileTypes": [ + "DOCUMENTATION" + ] + }, { "SPDXID": "SPDXRef-File", "annotations": [ @@ -314,7 +345,7 @@ "GPL-2.0-only", "LicenseRef-2" ], - "noticeText": "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \uFFFDSoftware\uFFFD), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \uFFFDAS IS\u0027, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + "noticeText": "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \u0022Software\u0022), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \u0022AS IS\u0022, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." } ], "snippets": [ @@ -356,48 +387,38 @@ "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package" }, { "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement", - "relationshipType": "COPY_OF" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-File", - "relationshipType": "DESCRIBES" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "DESCRIBES" + "relationshipType": "COPY_OF", + "relatedSpdxElement": "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement" }, { "spdxElementId": "SPDXRef-Package", - "relatedSpdxElement": "SPDXRef-JenaLib", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-Package", - "relatedSpdxElement": "SPDXRef-Saxon", - "relationshipType": "DYNAMIC_LINK" + "relationshipType": "DYNAMIC_LINK", + "relatedSpdxElement": "SPDXRef-Saxon" }, { "spdxElementId": "SPDXRef-CommonsLangSrc", - "relatedSpdxElement": "NOASSERTION", - "relationshipType": "GENERATED_FROM" + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "NOASSERTION" }, { "spdxElementId": "SPDXRef-JenaLib", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package" + }, + { + "spdxElementId": "SPDXRef-Specification", + "relationshipType": "SPECIFICATION_FOR", + "relatedSpdxElement": "SPDXRef-fromDoap-0" }, { "spdxElementId": "SPDXRef-File", - "relatedSpdxElement": "SPDXRef-fromDoap-0", - "relationshipType": "GENERATED_FROM" + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "SPDXRef-fromDoap-0" } ] } diff --git a/tests/CycloneDX.Spdx.Tests/__snapshots__/JsonSerializerTests.JsonRoundTripTest_document.snap b/tests/CycloneDX.Spdx.Tests/__snapshots__/JsonSerializerTests.JsonRoundTripTest_document.snap index eed099b8..70a28f65 100644 --- a/tests/CycloneDX.Spdx.Tests/__snapshots__/JsonSerializerTests.JsonRoundTripTest_document.snap +++ b/tests/CycloneDX.Spdx.Tests/__snapshots__/JsonSerializerTests.JsonRoundTripTest_document.snap @@ -1,6 +1,6 @@ { "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", + "spdxVersion": "SPDX-2.3", "creationInfo": { "comment": "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.", "created": "2010-01-29T18:30:22Z", @@ -9,11 +9,11 @@ "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ], - "licenseListVersion": "3.9" + "licenseListVersion": "3.17" }, "name": "SPDX-Tools-v2.0", "dataLicense": "CC0-1.0", - "comment": "This document was created using CycloneDX.Spdx 2.0 using licenses from the web site.", + "comment": "This document was created using SPDX 2.0 using licenses from the web site.", "externalDocumentRefs": [ { "externalDocumentId": "DocumentRef-spdx-tool-1.2", @@ -31,7 +31,7 @@ }, { "licenseId": "LicenseRef-2", - "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\uFFFD Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR \u0060\u0060AS IS\u0027\u0027 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00A9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR \u0060\u0060AS IS\u0027\u0027 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." }, { "licenseId": "LicenseRef-4", @@ -77,11 +77,11 @@ "comment": "Another example reviewer." } ], - "documentNamespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", "documentDescribes": [ "SPDXRef-File", "SPDXRef-Package" ], + "documentNamespace": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", "packages": [ { "SPDXID": "SPDXRef-Package", @@ -96,6 +96,7 @@ "attributionTexts": [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ], + "builtDate": "2011-01-29T18:30:22Z", "checksums": [ { "algorithm": "MD5", @@ -108,6 +109,10 @@ { "algorithm": "SHA256", "checksumValue": "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + }, + { + "algorithm": "BLAKE2b_384", + "checksumValue": "aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706" } ], "copyrightText": "Copyright 2008-2010 John Smith", @@ -121,17 +126,12 @@ }, { "comment": "This is the external ref for Acme", - "referenceCategory": "OTHER", + "referenceCategory": "PERSISTENT_ID", "referenceLocator": "acmecorp/acmenator/4.1.3-alpha", "referenceType": "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge" } ], "filesAnalyzed": true, - "hasFiles": [ - "SPDXRef-CommonsLangSrc", - "SPDXRef-JenaLib", - "SPDXRef-DoapSource" - ], "homepage": "http://ftp.gnu.org/gnu/glibc", "licenseComments": "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.", "licenseConcluded": "(LGPL-2.0-only OR LicenseRef-3)", @@ -150,9 +150,28 @@ ], "packageVerificationCodeValue": "d6a770ba38583ed4bb4525bd96e50461655d2758" }, + "primaryPackagePurpose": "SOURCE", + "hasFiles": [ + "SPDXRef-Specification", + "SPDXRef-Specification", + "SPDXRef-CommonsLangSrc", + "SPDXRef-Specification", + "SPDXRef-CommonsLangSrc", + "SPDXRef-JenaLib", + "SPDXRef-Specification", + "SPDXRef-CommonsLangSrc", + "SPDXRef-JenaLib", + "SPDXRef-DoapSource", + "SPDXRef-Specification", + "SPDXRef-CommonsLangSrc", + "SPDXRef-JenaLib", + "SPDXRef-DoapSource" + ], + "releaseDate": "2012-01-29T18:30:22Z", "sourceInfo": "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.", "summary": "GNU C library.", "supplier": "Person: Jane Doe (jane.doe@example.com)", + "validUntilDate": "2014-01-29T18:30:22Z", "versionInfo": "2.11.1" }, { @@ -167,7 +186,6 @@ }, { "SPDXID": "SPDXRef-fromDoap-0", - "copyrightText": "NOASSERTION", "downloadLocation": "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", "externalRefs": [ { @@ -178,9 +196,8 @@ ], "filesAnalyzed": false, "homepage": "http://www.openjena.org/", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", "name": "Jena", + "primaryPackagePurpose": "APPLICATION", "versionInfo": "3.12.0" }, { @@ -277,6 +294,20 @@ "LicenseRef-1" ] }, + { + "SPDXID": "SPDXRef-Specification", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "fff4e1c67a2d28fced849ee1bb76e7391b93f125" + } + ], + "comment": "Specification Documentation", + "fileName": "./docs/myspec.pdf", + "fileTypes": [ + "DOCUMENTATION" + ] + }, { "SPDXID": "SPDXRef-File", "annotations": [ @@ -314,7 +345,7 @@ "GPL-2.0-only", "LicenseRef-2" ], - "noticeText": "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \uFFFDSoftware\uFFFD), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \uFFFDAS IS\u0027, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + "noticeText": "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \u0022Software\u0022), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \u0022AS IS\u0022, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." } ], "snippets": [ @@ -356,48 +387,38 @@ "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package" }, { "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement", - "relationshipType": "COPY_OF" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-File", - "relationshipType": "DESCRIBES" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "DESCRIBES" + "relationshipType": "COPY_OF", + "relatedSpdxElement": "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement" }, { "spdxElementId": "SPDXRef-Package", - "relatedSpdxElement": "SPDXRef-JenaLib", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-Package", - "relatedSpdxElement": "SPDXRef-Saxon", - "relationshipType": "DYNAMIC_LINK" + "relationshipType": "DYNAMIC_LINK", + "relatedSpdxElement": "SPDXRef-Saxon" }, { "spdxElementId": "SPDXRef-CommonsLangSrc", - "relatedSpdxElement": "NOASSERTION", - "relationshipType": "GENERATED_FROM" + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "NOASSERTION" }, { "spdxElementId": "SPDXRef-JenaLib", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-Package" + }, + { + "spdxElementId": "SPDXRef-Specification", + "relationshipType": "SPECIFICATION_FOR", + "relatedSpdxElement": "SPDXRef-fromDoap-0" }, { "spdxElementId": "SPDXRef-File", - "relatedSpdxElement": "SPDXRef-fromDoap-0", - "relationshipType": "GENERATED_FROM" + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "SPDXRef-fromDoap-0" } ] } diff --git a/tests/CycloneDX.Spdx.Tests/__snapshots__/XmlSerializerTests.XmlRoundTripTest_document.snap b/tests/CycloneDX.Spdx.Tests/__snapshots__/XmlSerializerTests.XmlRoundTripTest_document.snap index 5dc25d7e..caf1c701 100644 --- a/tests/CycloneDX.Spdx.Tests/__snapshots__/XmlSerializerTests.XmlRoundTripTest_document.snap +++ b/tests/CycloneDX.Spdx.Tests/__snapshots__/XmlSerializerTests.XmlRoundTripTest_document.snap @@ -11,10 +11,10 @@ Tool: LicenseFind-1.0 Organization: ExampleCodeInspect () Person: Jane Doe () - 3.9 + 3.17 SPDX-Tools-v2.0 - This document was created using CycloneDX.Spdx 2.0 using licenses from the web site. + This document was created using SPDX 2.0 using licenses from the web site. DocumentRef-spdx-tool-1.2 @@ -58,7 +58,7 @@ LicenseRef-2 This package includes the GRDDL parser developed by Hewlett Packard under the following license: - � Copyright 2007 Hewlett-Packard Development Company, LP + © Copyright 2007 Hewlett-Packard Development Company, LP Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -180,14 +180,9 @@ Person: Suzanne Reviewer Another example reviewer. - http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 - SPDXRef-File - SPDXRef-File - SPDXRef-Package - SPDXRef-File - SPDXRef-Package SPDXRef-File SPDXRef-Package + http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 SPDXRef-Package @@ -197,6 +192,7 @@ Package level annotation The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. + 2011-01-29T18:30:22Z MD5 624c1abb3664f4b35547e7c73864ad24 @@ -209,6 +205,10 @@ SHA256 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd + + BLAKE2b-384 + aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 + Copyright 2008-2010 John Smith The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems. http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz @@ -219,20 +219,11 @@ This is the external ref for Acme - OTHER + PERSISTENT-ID acmecorp/acmenator/4.1.3-alpha http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge true - SPDXRef-CommonsLangSrc - SPDXRef-CommonsLangSrc - SPDXRef-JenaLib - SPDXRef-CommonsLangSrc - SPDXRef-JenaLib - SPDXRef-DoapSource - SPDXRef-CommonsLangSrc - SPDXRef-JenaLib - SPDXRef-DoapSource http://ftp.gnu.org/gnu/glibc The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change. (LGPL-2.0-only OR LicenseRef-3) @@ -247,9 +238,26 @@ ./package.spdx d6a770ba38583ed4bb4525bd96e50461655d2758 + SOURCE + SPDXRef-Specification + SPDXRef-Specification + SPDXRef-CommonsLangSrc + SPDXRef-Specification + SPDXRef-CommonsLangSrc + SPDXRef-JenaLib + SPDXRef-Specification + SPDXRef-CommonsLangSrc + SPDXRef-JenaLib + SPDXRef-DoapSource + SPDXRef-Specification + SPDXRef-CommonsLangSrc + SPDXRef-JenaLib + SPDXRef-DoapSource + 2012-01-29T18:30:22Z uses glibc-2_11-branch from git://sourceware.org/git/glibc.git. GNU C library. Person: Jane Doe (jane.doe@example.com) + 2014-01-29T18:30:22Z 2.11.1 @@ -264,17 +272,14 @@ SPDXRef-fromDoap-0 - NOASSERTION https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz - PACKAGE_MANAGER + PACKAGE-MANAGER pkg:maven/org.apache.jena/apache-jena@3.12.0 purl false http://www.openjena.org/ - NOASSERTION - NOASSERTION Jena 3.12.0 @@ -353,6 +358,16 @@ LicenseRef-1 LicenseRef-1 + + SPDXRef-Specification + + SHA1 + fff4e1c67a2d28fced849ee1bb76e7391b93f125 + + Specification Documentation + ./docs/myspec.pdf + DOCUMENTATION + SPDXRef-File @@ -386,10 +401,10 @@ Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com - Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the �Software�), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: + Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - THE SOFTWARE IS PROVIDED �AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. @@ -403,56 +418,58 @@ 420 - SPDXRef-DoapSource 310 - SPDXRef-DoapSource - 23 SPDXRef-DoapSource - 5 SPDXRef-DoapSource + SPDXRef-DoapSource SPDXRef-DOCUMENT - SPDXRef-Package CONTAINS + SPDXRef-Package SPDXRef-DOCUMENT - DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement COPY_OF + DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement SPDXRef-Package - SPDXRef-Saxon DYNAMIC_LINK + SPDXRef-Saxon SPDXRef-CommonsLangSrc - NOASSERTION GENERATED_FROM + NOASSERTION SPDXRef-JenaLib - SPDXRef-Package CONTAINS + SPDXRef-Package - SPDXRef-File + SPDXRef-Specification + SPECIFICATION_FOR SPDXRef-fromDoap-0 + + + SPDXRef-File GENERATED_FROM + SPDXRef-fromDoap-0